Developer warns that redaction method is insecure
Researchers have demonstrated how a new tool can uncover redacted text from documents, potentially exposing sensitive information to nefarious actors.
The tool, called Unredacter, was released by Bishop Fox today (February 15). To demonstrate that pixilation is “a no-good, bad, insecure, surefire way to get your sensitive data leaked”, it was designed to take redacted pixelized text and reverse it back into its reveal the supposedly hidden “clear text”.
In a blog post, lead researcher Dan Petro, who wrote the tool, explained that it was created in order to complete a challenge set by Jumspec, and also due to the use of pixilation being a “pet peeve” of his.
Bishop Fox has a “long-standing policy” to only redact information using black bars, which the company says is the only secure way technique.
“Sometimes, people like to be clever and try some other redaction techniques like blurring, swirling, or pixilation,” lead researcher Dan Petro wrote. “But this is a mistake.”
He told The Daily Swig: “It’s just not a secure way to redact information,” he explained. “But you see it all the time out there on the internet, often by journalists.
“Clearly the community needed to be convinced that pixilation is bad, and a tool to un-redact is the best way to do it.”
Petro explained that assuming one already knows the font type for the original information and of the redacted text, “since the attacker in a realistic scenario would likely have received a full report”, his tool can be used to circumvent common issues when it comes to revealing redacted information.
These issues include character bleed over, when a letter shares more than one pixilation column, variable widths between letters, and font inconsistency, which can all make using an algorithm difficult.
Petro wrote: “…there’s an existing tool called Depix that tries to do exactly this through a really clever process of looking up what permutations of pixels could have resulted in certain pixelated blocks, given a De Bruijn sequence of the correct font.”
“I like the theory of this tool a lot,” he said, but added that it “doesn’t work as well in practice as you’d like”.
The blog post contains more technical detail on how the Unredacter tool was built, as well as a proof of concept.
Petro said that the tool is aimed at being used by “possibly Red Teams”, but added that it “is mostly a proof-of-concept to drive home a point – never redact text with anything other than black bars fully covering the text”.
The researcher added: “Redacted data can be almost anything from passwords in a pen test report to victim names in a criminal report.
“The consequences to insecurely redacting information is highly context-dependent, but generally, someone redacts information because they don’t want it to be read.”