The practice of blurring out text using a method called pixelation may not be as secure as previously thought.
While the most foolproof way of concealing sensitive textual information is to use opaque black bars, other redaction methods like pixelation can achieve the opposite effect, enabling the reversal of pixelized text back into its original form.
Dan Petro, a lead researcher at offensive security firm Bishop Fox, has demonstrated a new open-source tool called Unredacter to reconstruct text from the pixelated images, effectively leaking the very information that was meant to be protected.
The tool is also seen as an improvement over an existing utility named Depix, which works by looking up what permutations of pixels could have resulted in certain pixelated blocks to recover the text.
The threat model works on the underlying hypothesis that given a piece of text containing both redacted and un-redacted information, the attacker uses the information about the font size and type gleaned from the clear text to predict the concealed information.
This is far from the first time similar methods have been proposed to get back redacted information from pixelated content. In January 2022, researchers from Positive Security detailed a method to reverse pixelation in videos.
“Content creators and journalists should be aware of the additional risks when redacting information in videos and use a sufficiently high mosaic size/blur radius, or better yet, use an opaque, single-colored box,” researcher Fabian Braunlein said.
Petro concurs. “The bottom line is that when you need to redact text, use black bars covering the whole text. Never use anything else. No pixelation, no blurring, no fuzzing, no swirling.”
“The last thing you need after making a great technical document is to accidentally leak sensitive information because of an insecure redaction technique,” Petro added.