current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 116 down vote favorite
28

I'm wondering if it's safe to black out sensitive information from a picture just by using Microsoft Paint?

Let's take in this scenario that EXIF data are stripped and there is no thumbnail picture, so that no data can be leaked in such a way.

But I'm interested in whether there is any other attack, that can be used in order to retrieve hidden information from the picture?

share|improve this question
2  
Have you considered just experimenting yourself and black-out a small area of the image and compare before/after hexdumps ? Maybe add extra gaussian blur or other features ? – Little Code Jun 13 at 22:36
1  
Not yet, I have that in my mind... – mirsad Jun 13 at 22:39
5  
Are you meaning with "hidden information" actually "hidden" informations? Or do you mean by "hidden", informations that are removed? 2 very diferent things in respect to your question – Zaibis Jun 14 at 7:11
5  
@TheGreatDuck surely the reason we even have an Information Security stackexchange is that computers very often expose data in unintended ways, no? – nekomatic 2 days ago
3  
For small images, I blacken out the sensitive info and just take a screenshot of that. May be time consuming to do this with a large number of pictures. – rohithpr 2 days ago
up vote 155 down vote accepted

As mentioned in the answers to a very similar question, scribbling over part of an image will destroy the original pixels, assuming that your editor doesn't store any layers or undo history. (Paint doesn't.) There are some things to watch out for, though:

  • The width of the blanked region places an upper bound on the length of the secret data
  • The height of the region could tell attackers whether the text representation of the data has ascenders or descenders (like in the letters b and p)
  • Any spaces in the blanked region provide information about the relative lengths of the data's parts/words (mentioned in David Schwartz's comment)

If you use a blur rather than a plain opaque rectangle/brush, a determined attacker could try lots of different possibilities in the image to see what text(s) get close to your image when blurred. Some effects can be undone almost perfectly, so make sure the one you use involves a lot of randomness or actual data destruction (e.g. a blocky pixellization). Of course, Paint doesn't have any special effects, so you should be fine.

One possible thing to be wary of is JPEG compression artifacts around the secret data, which could be used to get clues about the shape of the text. It never hurts to overwrite more information than necessary when you're concerned about secrecy. (This attack isn't a problem if the image never went through JPEG compression before your redaction.)

share|improve this answer
116  
Don't forget that if your are blocking out information from a sorted list etc its position can give away what it said. I heard a story of the USA releasing a list of cities containing a particular type of secret installations from the cold war. With ones that were still in use blacked out. The list was alphabetized, so a list of possible cities for each blackout could be generated. Then by cross referencing this list against other facts, on how reasonable it was for a site to be in them, very good guesses could be made at which cities still had active sites. – Oxinabox Jun 14 at 2:42
60  
Reversal of blurring type effects isn't a hypothetical risk. At least one notorious scumbag, Mr. Swirl was busted after someone worked out a way to unscramble his face in CP pictures he shared. – Dan Neely Jun 14 at 5:04
14  
A tall blacked-out region doesn't tell you whether the text representation contains descenders or not. It only tells you that it might. – Robert Harvey Jun 14 at 5:07
18  
Even "a blocky pixelization" may leave enough data to recover obscured text—much better to just completely cover it. – Miles Jun 14 at 5:36
22  
@RobertHarvey: Right, but a not-tall blacked-out region tells you that it doesn't. – Lightness Races in Orbit Jun 14 at 10:18
up vote 43 down vote

Ditto Ben N, but let me add a couple of points that are too long to fit as comments.

I'd emphasize the distinction between layered and un-layered data formats. Drawing a black box over a section of a GIF, JPG, or PNG image destroys the previous contents. Drawing a black box over a section of a Photoshop, Corel Draw, or Paint Shop Pro native image does not destroy the previous contents if it's on a different layer.

I'd be very cautious about blurring. You'd have to know how the software does the blur. If the blurring does not involve any randomness, if it's a deterministic algorithm, it may be possible to undo the blur with appropriate software. No way would I rely on it without thoroughly understanding the algorithm. Unless there was some very good reason to blur rather than black out, I just wouldn't do it.

Of course any attempt to redact with solid blocks must completely cover the original contents to be safe. You want to draw a black box, not scribble over it with a black pen that might leave gaps.

Some formats may keep an internal history log. Not quite the same thing, but I once had a case where my organization produced documents in PDF, another company edited those documents and then sent then back to us. We found that errors had been introduced in the documents and, to put it bluntly, blamed them. They claimed that the documents must have been like this to begin with because they didn't do it. Apparently they were unaware that PDF has an internal log of all changes, and I was able to identify exactly what text was changed and the exact time and date of every change.

share|improve this answer
41  
In 2005 there was a case where a US soldier killed an Italian secret agent in Iraq. The US published a report which contained classified information, including the name of the soldier who shot. It was a PDF, and the secret information had been covered with a black layer. It was quickly discovered that the text beneath was still present, and a simple copy/paste would reveal everything. So this is a real risk! – Fabio Turati Jun 14 at 10:02
8  
In 2007, Christopher Paul Neil was arrested for child pornography, because he used the photoshop "twirl" tool to obscure his face. They were able to undo the effect, and reveal his face: schneier.com/blog/archives/2007/10/untwirling_a_ph.html – Jonathon Reinhart Jun 14 at 11:07
6  
It might be worth updating your answer as at least a PNG created in Adobe Fireworks does use layers so it doesn't destroy the content underneath. However I'm unsure about cross compatibility with other image editors (especially Photoshop) – Crazy Dino Jun 14 at 12:07
5  
It's not actually randomness that's required, just non-reversibility. (e.g. a hash function isn't random. Neither is drawing a black box. Neither is setting every pixel to the average of all pixels in a region. The latter drastically reduces the information content of the region, but still contains some of the source information.) – Peter Cordes Jun 14 at 12:09
6  
@CrazyDino More accurately, that's the APNG format (whether or not it is actually animated). Like animated GIFs, animated PNGs use layers as frames, and if one layer contains the sensitive information, it isn't truly destroyed. – Gallant Jun 14 at 14:49
up vote 16 down vote

When blacking out sensitive information in Paint the original pixels are destroyed. But using Inkscape to black out part of a vector image does not destroy the pixels, but instead covers them. If someone removes the black cover they can see the pixels. The same applies to things like Foxit Reader (I almost sent a document with sensitive information which had been covered with a black square).

So using MS Paint to black out sensitive information is safe. JPEG artifacts might show some of the text like @BenN says.

Just don't blur it if you don't blur enough and MS Paint doesn't support blur anyway.

share|improve this answer
6  
Good point - also more complicated editors like Photoshop have transparency settings in several places, and if one gets set to 98% instead of 100%, the color can look like black, but the original data is really just mixed with an almost black color and can be retrieved. – JPhi1618 Jun 14 at 14:09
up vote 10 down vote

Already a few good answers here, saying Paint is safe. (I have no reason to believe otherwise.)

Just want to add that while blacking out a rectangle that fully covers the area and any surrounding areas (lists that information is part of etc) using a basic well studied image editing program should be fairly safe, just using any image editor might not be safe as shown by http://www.underhanded-c.org/_page_id_17.html

share|improve this answer
up vote 7 down vote

As a raster image program that does not use layers nor contain an undo history after saving, overwriting sensitive pixels in Paint irrevocably changes them in the saved image.

share|improve this answer
1  
Sometimes a very short answer is a very good one. – Joshua yesterday

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.