Exif metadata exposed through Fur Affinity
Today’s post is a bit special, as this blog is being used as a proxy for a full disclosure of a privacy issue within Fur Affinity, which was discovered by a friend. This post was also supposed to be published on the 8th of March 2026, but was delayed for a few days due to an ongoing back-and-forth between the Fur Affinity team and my friend.
The following blog post will be technical. If you have no idea what Exif is and what it entails, read this part first.
First: your account is safe. This is not an issue with account security, more of an oversight in how images are handled. You might be affected if you uploaded any real-life pictures to your account.
Exif (exchangeable image file format) basically allows additional data to be attached to files, and most particularly, images. This data is usually used to store things like the date and time at which the picture was taken, the lens used, ISO, focal length, and, in some cases, GPS location data; this is generally how your phone knows where you took a picture. That data is also useful in case you do more advanced exports using software like Lightroom or Darktable since some data about the camera is already pre-filled that way.
While your phone likely adds this data when you snap a picture, usually, apps and websites will remove (also called “scrubbing” in this case) this data to avoid leaking sensitive data about the user such as their place of residence.
It was accidentally discovered that Fur Affinity fails to do that scrubbing step when uploading certain image types, essentially publishing the pictures with the full data, location (if present) included as well.
What does it mean for you? If you’ve never uploaded any real-life pictures to Fur Affinity, then you have nothing to worry about. If you have posted a few real-life pictures, then you might be affected. Do note that it will depend on the file format you uploaded the picture in.
As of 2026-03-10, at 01:38 in the morning for me (yes, I’m writing the update fairly late), the uploads are now scrubbed, meaning any new uploads will have that data removed. In case you uploaded something before this date, you might have been affected, of course, if you posted IRL pictures in the PNG format.
Fur Affinity is currently working on scrubbing the existing pictures, so expect an update on their end about this eventually.
In any case, you can now skip the rest of the article if that’s all you wanted to know about. More details below.
The following is as of 2026-03-11 17:30 (Helsinki time), as it is the last time I tested it. I am not sure when this particular post will be scrubbed, if it hasn’t already.
Before accepting to publish the article, I did due diligence about the claims and ended on a similar conclusion. Here is an image I uploaded to Fur Affinity that contains geolocation data, taken during Eurofurence 29: https://www.furaffinity.net/view/64241568/. The image itself was converted from HEIC to PNG, then resized to fit within file size constraints via ImageMagick, then uploaded through the web form as-is; no tricks there.
Doing the following will show that I took the picture using an iPhone 16 Pro Max on 2025-09-05 at 19:48:04, located near the CCH in Hamburg (53.56126388888889,9.986280555555554):
thetys :: /tmp % wget https://d.furaffinity.net/art/jaemoe/1772858132/1772857914.jaemoe_out-2.png
Saving '1772857914.jaemoe_out-2.png'
HTTP response 200 [https://d.furaffinity.net/art/jaemoe/1772858132/1772857914.jaemoe_out-2.png]
1772857914.jaemoe_ou 100% [========================================================>] 4.40M --.-KB/s
[Files: 1 Bytes: 4.40M [2.88MB/s] Redirects: 0 Todo: 0 ]
thetys :: /tmp % exiftool 1772857914.jaemoe_out-2.png | grep -i gps
Exif GPS Altitude : 159968/10241
Exif GPS Altitude Ref : .
Exif GPS Date Stamp : 2025:09:05
Exif GPS Dest Bearing : 71165/1334
Exif GPS Dest Bearing Ref : T
Exif GPSH Positioning Error : 67331/16275
Exif GPS Img Direction : 71165/1334
Exif GPS Img Direction Ref : T
Exif GPS Info : 2380
Exif GPS Latitude : 53/1,33/1,4055/100
Exif GPS Latitude Ref : N
Exif GPS Longitude : 9/1,59/1,1061/100
Exif GPS Longitude Ref : E
Exif GPS Speed : 10250/45957
Exif GPS Speed Ref : K
Exif GPS Time Stamp : 17/1,48/1,300/100
thetys :: /tmp % exiftool 1772857914.jaemoe_out-2.png | grep -i model
Device Model :
Exif Lens Model : iPhone 16 Pro Max back triple camera 15.66mm f/2.8
Exif Model : iPhone 16 Pro Maxthetys :: /tmp % wget https://d.furaffinity.net/art/jaemoe/1772858132/1772857914.jaemoe_out-2.pngSaving '1772857914.jaemoe_out-2.png'HTTP response 200 [https://d.furaffinity.net/art/jaemoe/1772858132/1772857914.jaemoe_out-2.png]1772857914.jaemoe_ou 100% [========================================================>] 4.40M --.-KB/s [Files: 1 Bytes: 4.40M [2.88MB/s] Redirects: 0 Todo: 0 ]thetys :: /tmp % exiftool 1772857914.jaemoe_out-2.png | grep -i gpsExif GPS Altitude : 159968/10241Exif GPS Altitude Ref : .Exif GPS Date Stamp : 2025:09:05Exif GPS Dest Bearing : 71165/1334Exif GPS Dest Bearing Ref : TExif GPSH Positioning Error : 67331/16275Exif GPS Img Direction : 71165/1334Exif GPS Img Direction Ref : TExif GPS Info : 2380Exif GPS Latitude : 53/1,33/1,4055/100Exif GPS Latitude Ref : NExif GPS Longitude : 9/1,59/1,1061/100Exif GPS Longitude Ref : EExif GPS Speed : 10250/45957Exif GPS Speed Ref : KExif GPS Time Stamp : 17/1,48/1,300/100thetys :: /tmp % exiftool 1772857914.jaemoe_out-2.png | grep -i modelDevice Model :Exif Lens Model : iPhone 16 Pro Max back triple camera 15.66mm f/2.8Exif Model : iPhone 16 Pro MaxZsh I also discovered that this issue only seems to appear on PNG files, as the JPG version was scrubbed properly.
thetys :: /tmp % wget https://d.furaffinity.net/art/jaemoe/1772857914/1772857914.jaemoe_out_jpeg.jpg
Saving '1772857914.jaemoe_out_jpeg.jpg'
HTTP response 200 [https://d.furaffinity.net/art/jaemoe/1772857914/1772857914.jaemoe_out_jpeg.jpg]
1772857914.jaemoe_ou 100% [========================================================>] 1.03M --.-KB/s
[Files: 1 Bytes: 1.03M [722.66KB/s] Redirects: 0 Todo: 0]
thetys :: /tmp % exiftool 1772857914.jaemoe_out_jpeg.jpg
ExifTool Version Number : 13.10
File Name : 1772857914.jaemoe_out_jpeg.jpg
Directory : .
File Size : 1090 kB
File Modification Date/Time : 2026:03:07 06:31:54+02:00
File Access Date/Time : 2026:03:07 07:05:27+02:00
File Inode Change Date/Time : 2026:03:07 07:05:27+02:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Comment : CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90.
Image Width : 2217
Image Height : 1662
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 2217x1662
Megapixels : 3.7thetys :: /tmp % wget https://d.furaffinity.net/art/jaemoe/1772857914/1772857914.jaemoe_out_jpeg.jpgSaving '1772857914.jaemoe_out_jpeg.jpg'HTTP response 200 [https://d.furaffinity.net/art/jaemoe/1772857914/1772857914.jaemoe_out_jpeg.jpg]1772857914.jaemoe_ou 100% [========================================================>] 1.03M --.-KB/s [Files: 1 Bytes: 1.03M [722.66KB/s] Redirects: 0 Todo: 0]thetys :: /tmp % exiftool 1772857914.jaemoe_out_jpeg.jpgExifTool Version Number : 13.10File Name : 1772857914.jaemoe_out_jpeg.jpgDirectory : .File Size : 1090 kBFile Modification Date/Time : 2026:03:07 06:31:54+02:00File Access Date/Time : 2026:03:07 07:05:27+02:00File Inode Change Date/Time : 2026:03:07 07:05:27+02:00File Permissions : -rw-r--r--File Type : JPEGFile Type Extension : jpgMIME Type : image/jpegJFIF Version : 1.01Resolution Unit : inchesX Resolution : 96Y Resolution : 96Comment : CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90.Image Width : 2217Image Height : 1662Encoding Process : Progressive DCT, Huffman codingBits Per Sample : 8Color Components : 3Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)Image Size : 2217x1662Megapixels : 3.7Zsh My friend has chosen to remain anonymous for now, and I would also personally ask readers to remain polite toward all parties involved, even if this might be upsetting. Comments breaking this simple courtesy will be removed.
Given the special circumstances, I’ve decided to withhold any opinions and keep my part of the post factual, so, that’s it from me today.
Now I’ll let my friend tell about it in their own words.
Public disclosure on Fur Affinity failing to scrub Exif metadata on user uploaded images
I elected to stay anonymous for this disclosure, please respect my choice.
This vulnerability disclosure takes place after FA (Fur Affinity) failed to respond or address the issue for over 90 days.
The original disclosure date would have been the 7th, I originally added one day of tolerance period to account for timezones and another day to move the disclosure away from a Sunday.
UPDATE: FA responded on the 8th and I was able to communicate (ineffectively) with them over the following 48h. Unfortunately the conversation has been less productive than I was hoping for which is part of the reason why I am now publishing on the 11th. At this point of time the issue is partially resolved but older data is still exposed and not taken care of.
The issue
FA fails to scrub Exif metadata (including geolocation data) of their uploaded issues. Experimentations on that make me think this issue only started around 3 years ago. (I have yet to find a counter example, but I didn’t dig much due to lack of personal time).
When I experimentally downloaded the ~5000 latest uploaded images of FA’s Photography category, around 16% contained Exif data, about half of that containing geolocation data. (These numbers may vary significantly, I’ve noticed that a decent chunk of these images were posted by a singular user. It may vary day to day.) Furthermore, I was also able to obtain the home address of at least one better known artist.
Example shown on the “Fursuit” tag.Second example, on the “Photography” tag.
As the Furry fandom is in large parts LGBTQ+ and already generally targeted, this is a monumental OPSEC fuckup on FA’s side and should be fixed ASAP.
It would not surprise me if this has already been found before, even if not reported. Such an oversight is easy to check for, and I have personally found it accidentally when I had downloaded an image and my gallery app suddenly started to show me a map of where I had “taken pictures”.
What can I do?
Unfortunately, there is not much you can currently do, beyond manually checking any photos you have uploaded to FA.
Due to limits on FAs side and my personal time I do not feel confident in providing a script to automatically find and remove affected posts. Ignoring that such a solution would be inaccessible to most affect users either way.
If you haven’t ever uploaded any IRL pictures to FA, it is very unlikely you are effected.
PLEASE DO NOT flood FAs ticket system with complaints or anything related to this article. I believe that would be beyond counterproductive and possibly even slow them down in fixing the issue at hand.
Why this is being published
I elected to publish this disclosure, despite the issue only being partially resolved, due to the neglect from FAs side, especially as FA had admitted, in an unrelated ticket, that they are aware of my other ticket and are working on it, over a month from the deadline.
Context on the unrelated ticket.
For context, I had submitted another ticket as I thought I had discovered a XSS vulnerability in the way FA handles PDFs. I now believe that this is not the case, even if it results in weird behaviours of their PDF reader. They responded almost instantly on that ticket.
The complete time-line and all communications I had with FA are available below.
During most of the exchange I had with FA, that being the last 48h, I did not feel taken serious. FA did acknowledge the issue but it did not feel like they were taking my concerns and the weight for what it was. To me it felt much more like PR and damage control than actually addressing much of the problem.
Fortunately as of the last response I received from FA they have acknowledged fault on their end (which I much appreciate), but at the same time I believe that the severity of the issue at hand was still being swept to the side. Their projection, the one they gave me, for removing the remaining EXIF data on existing posts is in the weeks.
As they state by them self, FA is more concerned about stability and impact on operations than an ongoing sensitive leak of user data. I find this saddening as FA carries a large responsibility in our community and should know how to be better.
I understand that the capabilities of FA are very limited, which is an issue that also needs serious addressing, and I do not want to blame any specific person doing work for FA, as from what I am aware of, they aren’t pair for. I don’t know how much money FA makes, if it is enough to even pay for the hosting. But transparency on this end is dearly needed.
Furthermore I believe FA needs to improve their triaging rules and vulnerability handling protocols, which they fortunately committed to do so, to avoid such extreme issues in the future. Especially when considering the next section.
Ultimately I was hoping to remain on better terms with FA but I unfortunately feel compelled to release this disclosure.
GDPR
I have to prefix this part of the article that I’m neither a lawyer nor a expert on reading and interpreting law. I due to my learned profession, had to learn certain aspects of GDPR, but am still not qualified to give a concluding opinion on the topic. This is NOT legal advice.
Much worse is that FA may be in seriously in violation of Article 33 (GDPR), which outlines a maximum of 72h until users have to be informed of a data breach they are affected by, starting the moment FA becomes aware of the issue. Due to the nature of GDPR and the fact that FA offers services to users of the EU, these laws also apply to FA. FA includes a clause in its privacy policy that attempts to strip itself of some of its duties under GDPR, which is not permissible under GDPR.
Exact timeline
Due to me forgetting to set a deadline in the original message I had sent, I set the 90-day disclosure deadline in mid-January retroactively.
I felt this was necessary as FA had, to this point, still not responded to this issue and I feared they wouldn’t respond at all.
I feel justified in doing so as 90 days is the industry standard for public disclosures on almost all kinds of vulnerabilities and I am of the belief that this, even in the context that FA frames, should not be a difficult issue to address in very limited time.
2025-12-07
Main ticket
Hey, I just accidentally figured out that FA seemingly doesn’t erase exif data. Lots of people have likely accidentally revealed their location over FA. I’d argue this needs urgent fixing.
Image I’ve uploaded with GPS data attached. Points to a big fox in Rotterdam. https://www.furaffinity.net/view/XXXXXXXX/
2025-12-21
Main ticket
Will this be reviewed?
2026-01-16
Main ticket
Hi,
Due to the lack of response from FA’s side, I am setting a deadline for getting a response.
If I won’t get a response over any of the platforms I have reached out over so far (and further on) within >90 days of me submitting it, I will look into doing a public disclosure.
This issue requires addressing and at minimum an ackowledgement.
I mean no harm, but I find it highly doubtful that I am the first person to discover this issue, I worry that people possibly actively scrape for such information, making it a lot easier to cause long term harm to any people sharing images on here.
Thank you.
2026-01-31
Unrelated ticket
Me: […] Also PLEASE look at my other trouble ticket its rather problematic. […]
2026-02-01
Unrelated ticket (FA response)
FA: […] As for your other trouble ticket, one of our techs is working on it and how we can help there. […]
2026-02-01
Main ticket
Hello,
Due to lack of any response and action on this issue, I am currently still planning on publishing this finding on the 8th of March 2026.
Thank you.
2026-03-03
Secondary ticket
Hi,
Again, this time as different ticket as seemingly nothing has changed on the original and previous one.
The public disclosure deadline of the issue in #xxxxxx is in 4 days on the 8th of March.
You have failed to fix this issue, which should be more than trivial to fix for then over 90 days.
URGENTLY take care of this.
2026-03-08
Secondary ticket (Fur Affinity)
Hi,
At the moment we’re still reviewing how we want to resolve this issue. Scrubbing exif data with the tools we have on hand during our tests causes a massive degradation of image quality, so we’re looking into ways to alleviate that. There hasn’t been any updates because we’re still looking for a scalable option to also review and fix already uploaded content.
2026-03-08
Secondary ticket
Hi
Thank you for finally reaching out.
As you have crossed the reasonable deadline and failed to communicate any kind of work being until now, I have already preparred the public disclosure.
The plan is to publish it tomorrow, that is the 9th 8pm CET, due to the 8th being a sunday. I am willing to offer a 2 days extension moving it to the 11th same time if you require so. If i hear no further till the 9th 8pm CET i will go forward with the currently planed disclosure.
I appologize if im creating a lot of pressure here, but 90 days have been more than reasonable for this issue and its trivial to find images containing home locations of users by just scanning the recently uploaded pictures in photograpy or fursuits.
I personaly doubt im the forst to discover this and even if so, this site is crawled and archived by many people. Any more time just brings more harm to people.
2026-03-08
Secondary ticket (Fur Affinity)
Hi,
At this time, we’re looking to have something tested by tomorrow and hopefully released this week. FA is a very old code base, so things that may seem to be trivial can often be mired in limitations beyond our control and that don’t scale well, something we are actively working on addressing as well.
We are a very small team of volunteers, not a big company full of engineers.
If we are going to implement a fix, we want it to be the right fix and we don’t want to rush it because of any deadlines. The potential damage that could cause would be worse.
We appreciate your desire to see this fixed for the good of the community and we’ll reach out again if we need more information. Thank you for being a member of our community.
2026-03-08
Secondary Ticket
If you need support to implement a fix do tell.
I and a friend are both currently available and are both experience software developers. My friend especially had to work with many legacy codebases professionally.
We dont mind volunteering time to help out. Also, I will hold off with the disclosure for now but please keep me updated. The lack od communication was the biggest issue here imo, and the reason why I was moving forward with the disclosure.
2026-03-09
Secondary ticket (Fur Affinity)
While we appreciate the offer, we have recently completely the onboarding process for additional tech staff, which is part of why this has taken so long. We’re actively working on it at this time.
We generally don’t respond to tickets with updates on progress, but a note of the change will be posted as part of a Fender journal either when or a shortly after it is pushed live.
Thank you again bringing this to our attention.
2026-03-09
Secondary ticket
I’m establishing a final deadline of the 11th 19:00 UTC.
I feel forced to do so based on previous communications / lack there of.
2026-03-09
Secondary ticket (Fur Affinity)
Ticket closed, related ticket #XXXXXX resolved
[system]: Closing the ticket.
2026-03-09
Main ticket (Fur Affinity)
Hi, Tech management here,
As has been stated before, we do not rush fixes due to pressure from external sources. We have a great deal of respect for our community and their technical knowledge. Our team is also equally passionate, though we are volunteers and a majority of us are unpaid. We are not a large tech company, we are a team of 3 or 4 that must respond to virtually all requests from hundreds of thousands of users. When you submitted your initial vulnerability report, we were a team of 2. As a result of our mountanous backlog, this report got buried under a landslide of requests.
While we were working on your issue internally, we failed to communicate with you properly. We did also receive another ticket from you regarding PDF sandbox permissiveness that was responded to and resolved appropriately received January 30th, 2026 (Ticket ID #XXXXXX)
It is no excuse though. On behalf of the staff team, we sincerely apologize that it took so long for us to get to this issue and rectify it. It was not right to not provide a response in a timely manner, and we are actively improving our functions behind the scenes to ensure things like this don’t go by the wayside in the future.
We have released a patch that scrubs EXIF GPS data from future uploads, and are currently developing a script to comb through out 20+ year back catalog. This will be done within the next month or so as we test its impact on general operations.
As this issue has been resolved, we will be closing this ticket. If you have any more concerns you would like to raise please open another ticket and we will handle it promptly. Thank you for being a member of our community.
[system]: Closing the ticket.
I originally had also attempted to reach FA via Bluesky and e-mail, which both failed, due to a lack of response and the e-mail bouncing (possibly my fault, I could not find any applicable email address).
Acknowledgements
I’d like to thank a few people for their insight and opinions I had to gather while working on this issue and deciding on if and when I should do this public disclosure. This has not been easy on me, primarily due to time, but also as it was a genuinely hard choice to make if I should publish this before FA could fix the issue entirely.
First and foremost I would like to thank Jae, for hosting this article on her blog and providing editorial help. While this article has been written by me, she helped me word a few sections better and make it more understandable.
I’d also like to thank any of my closest friend I was able to talk about this with, as the insight I was able to gain was invaluable.
Finally I would also like to thank Soatok and select members of his community for providing me with feedback on the issue and helping me gain some clarity.
None of the people mentioned above are responsible for any of my actions or words I have written down here.
Italian News by RSS
DaLetra Deutsch
櫻李庵
Jae's Blog
透冊ヨル
:skeb_logo:
改めてマキナさん
人都トト
ケモを。
nemuru48
お茶麦:blobwanichan::mdlogo:
