Cropping and Redacting Images Safely

Published: 2023-03-23
Last Updated: 2023-03-23 16:09:10 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images [1][2]. While many image formats are still fundamentally "pixel" based, many have gone beyond simple "array of pixel" formats. Added compression, metadata, and other optimization features can make it difficult to remove information from images. This is not a new issue and has been a problem many times [3].

In some cases, image modifications are just appended to the original image file and overlayed as the image is displayed. Or files retain older versions to allow users to "undo" edits. And of course there are "bugs" like what we had with the recent image issues.

Here are some approaches to make image redaction safer. But please use them with caution.

Convert Image Formats

One way to remove "undisplayed" information from images is to convert the image to another format (gif->png, or jpeg->gif). In particular, you may lose some of the details in the image if you convert it to a compressed format. But this may actually help the intent of removing additional information from the image. Converting an image will usually remove metadata (like "EXIF" data) from images or at least reduce it. It will also create a new image based on the last version of the original image and remove edits or prior versions of the image. These additional features usually do not translate between different image formats. It can not hurt to review the final product using a simple text tool to see if you can spot meta data, but the data may not always be apparent.

Take a Screenshot

After your image looks "right", take a screenshot of it. This will likely just copy the "pixel representation" of the current image. Just make sure that you do not have anything sensitive displayed on the screen. Even taking a partial screenshot may not be safe enough.

Take a Photo

Take a photo of the screen (or partial screen). This is probably the safest way to remove any information from the original file. But you may add new metadata by taking the image. Also, be aware of reflections and other unintended content included in the photo.

Camera artifacts like lens distortions can theoretically be used to identify the particular camera being used. Reducing the image's resolution may help reduce the probability of this happening.

Remove Metadata

Most images include some form of metadata, for example, EXIF data. There are numerous tools to review and remove or modify the metadata. Some of the data may be necessary to properly display the image. But other data, like camera GPS and other sensor data, should be removed. You may also find data identifying the camera (even serial numbers) that you should remove.

Summary

It is hard to redact images properly. In the end: Try to figure out if it is worth the risk of posting the image. If it is a minor detail you redact, the risk may be acceptable. But if revealing redacted information may get you arrested or fired: Think twice before posting the image.

 

[1] https://acropalypse.app
[2] https://twitter.com/sjmurdoch/status/1638623990817103888
[3] https://www.wired.com/story/redact-pdf-online-privacy/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
2 comment(s)
ISC Stormcast For Thursday, March 23rd, 2023 https://isc.sans.edu/podcastdetail.html?id=8422

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives