One Step Away From A Revolution In Forums...

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,429
There seems to be quite a lot of disparity when it comes to the use of EXIF by forum developers. At least one product strips out the data claiming it's a security risk while others embrace it. I have read that EXIF data can harbour malware which might be under certain circumstance allow security holes in software to be exploited.

Does anyone have any further insight into this? Is it a real risk or can steps be taken to alleviate any potential problems?
These days only a really poorly coded script/app should be a concern when it comes to payloads hidden in EXIF. The bigger concern people should have is the geo location tags; a *lot* of people who post photos online don't realize that they may be accidentally revealing their detailed location information so a quick pic taken on their mobile device can actually reveal their home address (these days it's a minor thing to grab the GPS co-ords from the EXIF and then plug them into Google Maps). Something else I run into is people who configure their mobile device cameras, their dedicated cameras, and their photo processing software to automatically tag their photos with some information (eg: photographer name) and forget that that info' could up being made available when they post their photos ("could" being based on how the particular site handles metadata, resizing images, etc.). Somebody posting a "cute" picture on social media sites of their Christmas tree with the presents underneath? Takes a look at the EXIF & IPTC data... hey, there's their name and location.


I would think that having a background script strip the data from the image and posting only the pertinent data as a caption or note would mitigate most of the security concerns.
It's how some software is handling it already; they grab the basic EXIF, strip the metadata, and then re-add the basic fields back in again. For a photography site, or at least ours, the location data isn't something we display and many of the members are aware to strip out the location before posting an image because it's really the rest of the data that people on the site care about (device make, model, lens model, camera settings when the image was taken, etc.). Making it a bit more complicated, some data like the precise lens model might be in a few different metadata spots (eg: IPTC instead of EXIF) so a library like EXIFTool make it a lot easier to work with. For some sites & scenarios I know that members manually obscure the location data with false info.

I struggle with understanding the purpose of it. While I can see some use in a photographic site, to show the settings used to capture the image, I don't follow the reasoning behind using the geotagging data. If someone wanted to share the location where they took an image, they would volunteer it in their post. To pull the location data from every image and post it seems quite an invasion of privacy to me.
It is a privacy concern and one that many may not realize exists. But different communities have different needs. None of the sites I'm involved with these days would ever have a need/want to extract geo information from image metadata but I can easily envision some of Fixer's community members wanting to post a picture of a spot out in the middle of the desert and to be able to easily share the location information about it and being able to tag it so it can be grouped & searched on. The rest of the EXIF data (make/model/lens/settings) his members likely don't care about all but location of some images may be of interest to them.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,116
The bigger concern people should have is the geo location tags; a *lot* of people who post photos online don't realize that they may be accidentally revealing their detailed location information so a quick pic taken on their mobile device can actually reveal their home address (these days it's a minor thing to grab the GPS co-ords from the EXIF and then plug them into Google Maps).
This is a huge concern on one forum I admin. The site catalogues vintage guitars, storing images that show identifying marks and serial numbers. One of the main intentions is to track stolen instruments as they come up for sale. Somewhat ironic when the EXIF data provides the locations to steal from :rolleyes:

These days only a really poorly coded script/app should be a concern when it comes to payloads hidden in EXIF.
More irony... a migration to vBulletin 5 was being considered because 'All EXIF data is stripped, even on images that are not resized. EXIF data is not secure and can be used to compromise a web server.' My understanding is that is no longer the case because of user pressure.
 

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,429
More irony... a migration to vBulletin 5 was being considered because 'All EXIF data is stripped, even on images that are not resized. EXIF data is not secure and can be used to compromise a web server.' My understanding is that is no longer the case because of user pressure.
If you're using XF2 I can likely point you in the direction of what files to modify to always strip EXIF from forum attachments (would need to look when I get home, basically you want the reverse of the edit I had to do for a different purpose). For IPS or something else, the other guys/gals would need to chime in.
 
Last edited:

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,358
There's so much potential with maps and locations on forums. I love the topic and it can really add value to location based communities. Especially ones that involve events and meetups. It's definitely under utilised.

Security is a concern with galleries and images though. It's great to be able to browse a global maps and see markers for photo albums from events across the world, then zoom in and select them and see all the photos from that event. It's a really neat content discovery tool.

I have seen examples where photos are uploaded to galleries though, of very expensive kit and it effectively shows the exact users address, house number and all.

Ideally you'd want the software to reverse geocode the lat and long to a human readable address, then fuzzy it by moving the street and perhaps just including the town or city. The perhaps fuzzy it again to within x miles so that multiple events or markers in the same location don't build up on top of eachother and are all still individually selectable in the rough area on the map, all while protecting the privacy of the uploader as the locations are fuzzed.

There could be the option to keep an archived full res copy of the original image, or delete the original image, and then just a version with stripped exif data is displayed to the other users of the site leaving only the fuzzed address stored in the forum db for map marker purposes.
 

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
609
There seems to be quite a lot of disparity when it comes to the use of EXIF by forum developers. At least one product strips out the data claiming it's a security risk while others embrace it. I have read that EXIF data can harbour malware which might be under certain circumstance allow security holes in software to be exploited.

Does anyone have any further insight into this? Is it a real risk or can steps be taken to alleviate any potential problems?
Gosora strips it out as I consider it a privacy risk and a lot of the time the users don't even know they're giving away their GPS location in images (as metadata is invisible). The federated social network Diaspora also strips it out, although there is a setting for that. I don't know about others.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,116
If you're using XF2 I can likely point you in the direction of what files to modify to always strip EXIF from forum attachments (would need to look when I get home, basically you want the reverse of the edit I had to do for a different purpose). For IPS or something else, the other guys/gals would need to chime in.
The forum is currently running on a highly customised version of YaBB. A migration is imminent, I'm just not too sure to what yet but I appreciate the offer of help :)
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,358

Joel R

Fan
Joined
Nov 24, 2013
Messages
779
With IPS already using the Google Maps my curiosity is piqued; before this is over I suspect I'll be tearing into IPS code just to see what would be involved since Page filters is something I have not fully dived into yet.

Thinking out loud... Use a Pages db with an Address field type then use the Maps API to search based on either the members location or an ad-hoc entered location (which would actually be more flexible in use).
You can check out the Company app by Spanner in the Marketplace. It's designed for a business posting and very feature rich for it's price point. I'm almost certain that it contains location data but not sure if there's an auto-proximity. You'll probably have to ask for a customization of that.
 

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,429
You can check out the Company app by Spanner in the Marketplace. It's designed for a business posting and very feature rich for it's price point. I'm almost certain that it contains location data but not sure if there's an auto-proximity. You'll probably have to ask for a customization of that.
That's actually pretty feature rich! :cool: https://invisioncommunity.com/files/file/7756-sd-company-directory/

Seeing stuff like that makes it hard to keep to my "no 3rd party add-ons" mantra that I've been trying to stick to. :eek:
 

fixer

I'm In My Prime
Joined
Jan 28, 2010
Messages
2,062
It is an Invision take over

Can’t say i never seen this coming
 

Joel R

Fan
Joined
Nov 24, 2013
Messages
779

Study Force

Participant
Joined
Oct 29, 2012
Messages
50
I absolutely love this idea! I'm thinking of building something like this for my own forum. In my case, it'd be a plus if members knew who else around them have recently logged in or signed up.
 

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,027
This isn't anything new - I've seen it before, over a decade ago, on an automotive forum.
 

fixer

I'm In My Prime
Joined
Jan 28, 2010
Messages
2,062
This isn't anything new - I've seen it before, over a decade ago, on an automotive forum.
....and MySpace came before Facebook.

I can tell you are in a mood today, and i'm perfectly OK with you being wrong. So i'm not debating with you on this. Find someone else to bother.
 

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,027
....and MySpace came before Facebook.

I can tell you are in a mood today, and i'm perfectly OK with you being wrong. So i'm not debating with you on this. Find someone else to bother.
There is no debate, only denial if you think this is new, or revolutionary.

If anything, it's several steps behind what some forums already have which go well beyond this: individual posts tell you how far away the poster was from your live location as you're reading topics, when someone close-by has liked a topic, created a new resource/download, or most other interaction on the forum. Some even pan the live map as posting activity moves from one geo-location to another.

Check around the Internet, and maybe you can get some of their more advanced features added to this add-on you have. A couple of them have even open-sourced it on Github.
 

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,027
I'm curious in taking a look.... which forums?
I don't recall the forum name, it's been years and I've literally been on hundreds of auto focused sites since its where I got my start on the Internet. It was a police speed detection countermeasures site, but I don't remember which one. It was setup to display info from members who used the now-defunct Trapster.

Then there sites are using the Umbraco CMS/forum software package to see examples, along with their github code for it.

Divebuddy has had new members near me notifications going back about half a decade, maybe longer.

There's a lot of this type of thing on the internet, even one for Wordpress based site communities, on evanto if I recall correctly. Joomla, there's a proximity addon that lets you search posts by their proximity, for instance.
 

fixer

I'm In My Prime
Joined
Jan 28, 2010
Messages
2,062
Well this is happening thanks to a friend jumping on board to support the development.

The first dev went AWOL now have original choice active
 

DigNap15

Enthusiast
Joined
Sep 14, 2019
Messages
111
I've been saying it for awhile. Things like this when used properly can be of a benefit to forums. IPB really needs to lead the way on that. I mean they lead in other areas, but sometimes it's the simple things like this that can have the biggest impact.

Personally I think profiles leave much to be desired and for most people serve no real purpose or use so they just sit there taking up space. It's time to re-imagine them. Amongst other areas. And make them more socially focused with actual use.

This above is a nice example. I think the big pins are a bit much. But smaller dots or something I think would be more effective and less cluttered. And if there are a bunch of people in an area while zoomed out, they just make a bigger merged dot that breaks down as you zoom in.

Simple things. ;)
yes those big pins are ugly
 
Top