my favourite observed abuse of image metadata was an exploit for some forum, in which the (iirc) EXIF chunk contained a bunch of php exploit payload code, and the image itself was uploaded as part of the attack. The forum checked the image for validity, but of course it was. The actual flaw required getting the site to consider the image as a script file, at which point it ignored everything before the <?php and poof, owned.