Monday, May 20, 2024

New public tool can uncover redacted, pixelated text, revealing sensitive data

Developer warns that redaction method is insecure

Researchers have demonstrated how a new tool can uncover redacted text from documents, potentially exposing sensitive information to nefarious actors.

The tool, called Unredacter, was released by Bishop Fox today (February 15). To demonstrate that pixilation is “a no-good, bad, insecure, surefire way to get your sensitive data leaked”, it was designed to take redacted pixelized text and reverse it back into its reveal the supposedly hidden “clear text”.

In a blog post, lead researcher Dan Petro, who wrote the tool, explained that it was created in order to complete a challenge set by Jumspec, and also due to the use of pixilation being a “pet peeve” of his.


Bishop Fox has a “long-standing policy” to only redact information using black bars, which the company says is the only secure way technique.

“Sometimes, people like to be clever and try some other redaction techniques like blurring, swirling, or pixilation,” lead researcher Dan Petro wrote. “But this is a mistake.”

He told The Daily Swig: “It’s just not a secure way to redact information,” he explained. “But you see it all the time out there on the internet, often by journalists.

“Clearly the community needed to be convinced that pixilation is bad, and a tool to un-redact is the best way to do it.”

The tool

Petro explained that assuming one already knows the font type for the original information and of the redacted text, “since the attacker in a realistic scenario would likely have received a full report”, his tool can be used to circumvent common issues when it comes to revealing redacted information.

Recommended:  Morgan Stanley fined $35M after unencrypted, unwiped hard drives are auctioned

These issues include character bleed over, when a letter shares more than one pixilation column, variable widths between letters, and font inconsistency, which can all make using an algorithm difficult.

Petro wrote: “…there’s an existing tool called Depix that tries to do exactly this through a really clever process of looking up what permutations of pixels could have resulted in certain pixelated blocks, given a De Bruijn sequence of the correct font.”

“I like the theory of this tool a lot,” he said, but added that it “doesn’t work as well in practice as you’d like”.

The blog post contains more technical detail on how the Unredacter tool was built, as well as a proof of concept.


Petro said that the tool is aimed at being used by “possibly Red Teams”, but added that it “is mostly a proof-of-concept to drive home a point – never redact text with anything other than black bars fully covering the text”.

The researcher added: “Redacted data can be almost anything from passwords in a pen test report to victim names in a criminal report.

“The consequences to insecurely redacting information is highly context-dependent, but generally, someone redacts information because they don’t want it to be read.”

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines


Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Recommended:  NSA Publishes Top Practices for Improving Network Defenses
Please login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates