IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Only ever use black bars to redact text, warns security researcher

Researcher Dan Petro shows how pixelation can be easily reversed using algorithms

A security researcher has warned that text in a document should only ever be redacted using black bars and photo editing software, and that using any other method could result in data being leaked.

Dan Petro, lead researcher at Bishop Fox, also warned that users should editing the text as an image instead of modifying a Word document to have a black background with black text, which can still be read.

Any other methods, including pixelating or blurring the letters, should also be avoided.

Petro raised the issue as part of a challenge by cyber security firm Jumpsec, which tasked the community to to un-redact a pixelated image.

Jumpsec had been investigating how effective a tool called Depix was at recovering censored text to a readable format. As part of that investigation, the researchers opened up a challenge to the wider community to see whether other researchers could de-obfuscate an image using their own tools or through Depix.

A screenshot of obfuscated text as part of a cyber security challenge

A sample of the redacted text issued as part of the challenge

Dan Petro

Explaining how pixelation usually works, Petro said that tools normally divide an image into a grid of a given block size. For each block, the tool will then set the redacted image's colour equal to the average colour of the original, in an attempt to "smear" the information of the image. However, while some information is lost in the process, it leaks plenty through, warned Petro.

This algorithm is also widely standardised, so the same result is created regardless of whether GiMP, Photoshop, or most other tools are used, he added.

To solve the challenge, Petro enlisted a tool he developed called Unredacter, which takes redacted pixelated text and reverses it back into its original form. To use it, he had to first convert the image to grayscale, as it appeared to contain some coloured letters. His tool renders the letters to a headless Chrome window, meaning no colourised artefacts appear.

Petro also had to lighten part of the image to help his tool process it. He was then able to find the correct font and size of the text, which was made easier due to the file being from MS Notepad - the app uses the default font of Consolas. Following trial and error, he found the font was 24px.

Related Resource

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Man at his computer next to title card - whitepaper from ServiceNowFree download

The Unredacter program was ultimately able to successfully deduce what the obfuscated text said, although he was asked to hide the solution until the challenge ended.

“The last thing you need after making a great technical document is to accidentally leak sensitive information because of an insecure redaction technique,” wrote Petro.

Documents leaked by the British Ministry of Defence 2011 famously used inadequate obfuscation to hide sensitive government information. A 22-page internal report on Parliament’s website contained blacked-out passages that when copied into a new document, could still be read. Instead of redacting the classified words, the background was simply changed to the same colours as the letters.

More recently, in 2019, lawyers for Paul Manafort, president Donald Trump's former campaign chairman, filed a response to special counsel Robert Mueller team's allegation that Manfort had lied to prosecutors. A sensitive passage was redacted on page 5 which, by copying and pasting it into a different document, was possible to read. It revealed new details about Manafot's relationship with Konstantin Kilimnik, a former associate with links to Russia.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022