IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Only ever use black bars to redact text, warns security researcher

Researcher Dan Petro shows how pixelation can be easily reversed using algorithms

A security researcher has warned that text in a document should only ever be redacted using black bars and photo editing software, and that using any other method could result in data being leaked.

Dan Petro, lead researcher at Bishop Fox, also warned that users should editing the text as an image instead of modifying a Word document to have a black background with black text, which can still be read.

Any other methods, including pixelating or blurring the letters, should also be avoided.

Petro raised the issue as part of a challenge by cyber security firm Jumpsec, which tasked the community to to un-redact a pixelated image.

Jumpsec had been investigating how effective a tool called Depix was at recovering censored text to a readable format. As part of that investigation, the researchers opened up a challenge to the wider community to see whether other researchers could de-obfuscate an image using their own tools or through Depix.

A screenshot of obfuscated text as part of a cyber security challenge

A sample of the redacted text issued as part of the challenge

Dan Petro

Explaining how pixelation usually works, Petro said that tools normally divide an image into a grid of a given block size. For each block, the tool will then set the redacted image's colour equal to the average colour of the original, in an attempt to "smear" the information of the image. However, while some information is lost in the process, it leaks plenty through, warned Petro.

This algorithm is also widely standardised, so the same result is created regardless of whether GiMP, Photoshop, or most other tools are used, he added.

To solve the challenge, Petro enlisted a tool he developed called Unredacter, which takes redacted pixelated text and reverses it back into its original form. To use it, he had to first convert the image to grayscale, as it appeared to contain some coloured letters. His tool renders the letters to a headless Chrome window, meaning no colourised artefacts appear.

Petro also had to lighten part of the image to help his tool process it. He was then able to find the correct font and size of the text, which was made easier due to the file being from MS Notepad - the app uses the default font of Consolas. Following trial and error, he found the font was 24px.

Related Resource

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Man at his computer next to title card - whitepaper from ServiceNowFree download

The Unredacter program was ultimately able to successfully deduce what the obfuscated text said, although he was asked to hide the solution until the challenge ended.

“The last thing you need after making a great technical document is to accidentally leak sensitive information because of an insecure redaction technique,” wrote Petro.

Documents leaked by the British Ministry of Defence 2011 famously used inadequate obfuscation to hide sensitive government information. A 22-page internal report on Parliament’s website contained blacked-out passages that when copied into a new document, could still be read. Instead of redacting the classified words, the background was simply changed to the same colours as the letters.

More recently, in 2019, lawyers for Paul Manafort, president Donald Trump's former campaign chairman, filed a response to special counsel Robert Mueller team's allegation that Manfort had lied to prosecutors. A sensitive passage was redacted on page 5 which, by copying and pasting it into a different document, was possible to read. It revealed new details about Manafot's relationship with Konstantin Kilimnik, a former associate with links to Russia.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022