Cropping and Redacting Images Safely
The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images [1][2]. While many image formats are still fundamentally "pixel" based, many have gone beyond simple "array of pixel" formats. Added compression, metadata, and other optimization features can make it difficult to remove information from images. This is not a new issue and has been a problem many times [3].
In some cases, image modifications are just appended to the original image file and overlayed as the image is displayed. Or files retain older versions to allow users to "undo" edits. And of course there are "bugs" like what we had with the recent image issues.
Here are some approaches to make image redaction safer. But please use them with caution.
Convert Image Formats
One way to remove "undisplayed" information from images is to convert the image to another format (gif->png, or jpeg->gif). In particular, you may lose some of the details in the image if you convert it to a compressed format. But this may actually help the intent of removing additional information from the image. Converting an image will usually remove metadata (like "EXIF" data) from images or at least reduce it. It will also create a new image based on the last version of the original image and remove edits or prior versions of the image. These additional features usually do not translate between different image formats. It can not hurt to review the final product using a simple text tool to see if you can spot meta data, but the data may not always be apparent.
Take a Screenshot
After your image looks "right", take a screenshot of it. This will likely just copy the "pixel representation" of the current image. Just make sure that you do not have anything sensitive displayed on the screen. Even taking a partial screenshot may not be safe enough.
Take a Photo
Take a photo of the screen (or partial screen). This is probably the safest way to remove any information from the original file. But you may add new metadata by taking the image. Also, be aware of reflections and other unintended content included in the photo.
Camera artifacts like lens distortions can theoretically be used to identify the particular camera being used. Reducing the image's resolution may help reduce the probability of this happening.
Remove Metadata
Most images include some form of metadata, for example, EXIF data. There are numerous tools to review and remove or modify the metadata. Some of the data may be necessary to properly display the image. But other data, like camera GPS and other sensor data, should be removed. You may also find data identifying the camera (even serial numbers) that you should remove.
Summary
It is hard to redact images properly. In the end: Try to figure out if it is worth the risk of posting the image. If it is a minor detail you redact, the risk may be acceptable. But if revealing redacted information may get you arrested or fired: Think twice before posting the image.
[1] https://acropalypse.app
[2] https://twitter.com/sjmurdoch/status/1638623990817103888
[3] https://www.wired.com/story/redact-pdf-online-privacy/
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Example: TIF > JPG > TIF. We can call this process "formatting wash out"!
Spiros
Mar 24th 2023
1 year ago
mdunlop@jasa.org
Mar 24th 2023
1 year ago