I found something weird a while back that's been on my mind. Most social media platforms strip all metadata from uploads - that's basically expected at this point. Privacy 101.

But here's what I noticed. When you edit videos in Premiere Pro or After Effects (which I use regularly for my own projects), Adobe does something kind of sneaky. It copies GPS data from the original EXIF metadata and transfers it into their XMP format. XMP is Adobe's metadata system, and it's designed to keep information across editing workflows. The catch? Some platforms only sanitize EXIF. They completely ignore XMP.

I was messing around with ExifTool one day, analyzing videos from a popular video platform, and there it was. XMP metadata just sitting there. Since that video was shot on a phone, Pantry GPS Latitude and Pantry GPS Longitude were right there in the XMP metadata. Completely untouched.

This wasn't through the official API - you had to know where to look. The platform was hosting these files with all the XMP metadata at a different endpoint. Third-party tools have already figured out how to craft requests to access it. I pulled videos from there, and the GPS metadata was completely intact with zero sanitization, served directly from an official platform endpoint. Any video edited with Adobe tools that was originally shot on a phone with location services enabled would leak this data.

The technical term for this is "incomplete input validation". The platform correctly strips EXIF, but doesn't account for other metadata formats that can hold the same sensitive data. What gets me is that other platforms handle this correctly. Instagram, Facebook, Twitter, they all strip metadata across all formats. They treat any location leakage as a security issue, period. It's not hard to implement; you just need to be thorough.

I reported this through proper channels, and the response was basically "EXIF is a user feature, they can turn it off".

Let's unpack how absurd this is. First, how is EXIF a "user feature"? It's metadata automatically embedded by cameras and phones. Most users don't even know it exists, let alone that they should disable it. So the whole "users can turn it off" argument is completely backwards.

But here's the thing - this wasn't about EXIF metadata in the first place. The platform already strips EXIF. They're doing that part right! The problem is they're leaving XMP completely untouched, which contains the exact same GPS data. It's like saying "we lock the front door, so users should board up their windows themselves."

Users expect their location to be safe when they upload content to a social media platform. Most platforms understand this and strip all metadata formats. But when a platform only strips EXIF while leaving XMP completely untouched, they're creating a false sense of security. People think they're protected when they're not.

If this scared you and you're curious whether your own videos are leaking location data, you can check with ExifTool:

exiftool -XMP:all your-video.mp4

Look for fields like Pantry GPS Latitude and Pantry GPS Longitude. If you edited the video in Adobe software, and it was originally shot with location services enabled, chances are it's there.

If you're a developer building something that handles user media, double-check your sanitization pipeline. Don't just look at EXIF. You need to sanitize all metadata formats.

If you're a content creator using Adobe tools, just know that your GPS data might be slipping through in ways you wouldn't expect. Before you upload anything, you can strip all metadata from your videos using:

exiftool -all= your-video.mp4

But honestly, platforms should be doing this for you. That's the whole point.

Kind of wild that this is still a thing in 2026, but here we are.

Update 30/1/26

So I got a response from the security analyst on this, and honestly, it's the exact kind of thinking that keeps issues like this alive.

Their take: "Since this only affects media produced by Adobe software, the user should still have the choice to strip the EXIF data... That the platform does not strip 100% of this metadata is not a security vulnerability, it's a best practice issue."

Let me break down why this response completely misses the point.

First off, calling this a "best practice issue" instead of a security vulnerability is just semantics to avoid accountability. When a platform hosts your GPS coordinates in publicly accessible files without your knowledge or consent, that's information disclosure. Call it whatever you want, it's a security problem.

The "user should have the choice" argument is particularly frustrating. What choice? The average creator has no idea what XMP even is, let alone that their editing software is embedding GPS coordinates into it.

And here's the kicker: the analyst says they agree "from a defense in depth / best practice perspective," but then immediately categorizes it as "a best practice issue" rather than a security vulnerability. That's a complete contradiction right there. If it's a defense in depth concern, then it's also a security issue by definition. You don't get to acknowledge something falls under security best practices and then dismiss it as "not a vulnerability" in the same breath.

The platform already strips EXIF correctly. They know metadata can leak location data. They know users expect privacy. But when it comes to XMP, suddenly it's the user's problem? That's not how platform security should work.

When platforms half-ass metadata sanitization and security analysts defend it as "not a vulnerability," we get leaks like this. But here we are :)