This New Tool Can Retrieve Pixelated Text from Redacted Documents

The practice of blurring out text using a method called
pixelation may not be as secure as previously thought.

While the most foolproof way of concealing sensitive textual
information is to use opaque black bars, other redaction methods
like pixelation can achieve the opposite effect, enabling the
reversal of pixelized text back into its original form.

Dan Petro, a lead researcher at offensive security firm Bishop
Fox, has demonstrated^[1]
a new open-source tool called Unredacter^[2]
to reconstruct text from the pixelated images, effectively leaking
the very information that was meant to be protected.

The tool is also seen as an improvement over an existing utility
named Depix^[3], which works by looking
up what permutations of pixels could have resulted in certain
pixelated blocks to recover the text.

The threat model works on the underlying hypothesis that given a
piece of text containing both redacted and un-redacted information,
the attacker uses the information about the font size and type
gleaned from the clear text to predict the concealed
information.

This is far from the first time similar methods have been
proposed to get back redacted information from pixelated content.
In January 2022, researchers from Positive Security detailed a
method^[4]
to reverse pixelation in videos.

“Content creators and journalists should be aware of the
additional risks when redacting information in videos and use a
sufficiently high mosaic size/blur radius, or better yet, use an
opaque, single-colored box,” researcher Fabian Braunlein said.

Petro concurs. “The bottom line is that when you need to redact
text, use black bars covering the whole text. Never use anything
else. No pixelation, no blurring, no fuzzing, no swirling.”

“The last thing you need after making a great technical document
is to accidentally leak sensitive information because of an
insecure redaction technique,” Petro added.