Cross Site Scripting (XSS) seems to be the most common vulnerability today with every other site having run into it at least once. In a nutshell, whenever a website displays unsanitized user-driven data (supplied directly or indirectly), it makes itself susceptible to XSS.

Image EXIF information is no exception. Though the EXIF is usually written by the digital camera, it could be edited using any of the tools available freely. It is possible to modify any tag including the Camera Make and Model and supply javascript snippets instead of them.

Here’s a sample image with javascript alerts written into its EXIF. (Upload the pic to to see the javascript at work. The site doesn’t persist the image and hence is safe.) Most of the big names in photosharing already sanitizes the EXIF tags before displaying them, but there are a lot of smaller websites which are prone to this kind of XSS.