The Underactor tool can uncover redacted text from any document and reveal sensitive data to anyone including of course cybercriminals and threat actors.
Pixelating is a common practice used in blurring or hiding certain text parts. However, according to Bishop Fox’s lead researcher Dan Petro, all such techniques to hide text including pixelation, swirling, blurring are useless. That’s because there are tools that let people “depixelate” the text and expose the hidden content, which is generally private and sensitive information.
New Tool Renders Pixelating Useless
Offensive security consultancy firm Bishop Fox released a new tool dubbed Unredactor on February 15th that can uncover redacted text from any document and reveal sensitive data to anyone including of course cybercriminals and threat actors.
This tool validates the company’s claim that pixelation is insecure and a ‘surefire’ way to leak sensitive data. The tool can take redacted text and expose the hidden clear text by simply reversing it back.
The tool’s creator, Dan Petro, noted in the company’s blog post that this tool was created to fulfill a challenge from Jumspec. Petro mentioned another tool called Depix that cleverly performs the exact same function but isn’t as effective as Underactor.
How does the Tool work?
According to Petro, this tool can reveal redacted information if one knows the original data and redacted text’s font type. It may also be used to circumvent common issues like character bleed over, variability of widths between letters, inconsistent font, and when there are multiple pixelation columns in a letter. All these issues can make it challenging to use an algorithm.
Depixelating an image is a straightforward process, similar to searching for a password through brute force. The same encryption algorithm is applied to a list of words and compared with the target.
More interesting news on Hackread.com
To depixelate an image, the process entails comparing them with pixelated words to check if they resemble the original image, utilizing the avalanche effect technique. When there are changes in the source image details, it impacts a small part of the final image.
Underactor’s code is available on GitHub.
Issue of Concern!
Petro said that redacted data could be anything from car number plates to passwords in a pentest report or even victim names included in a criminal report. Therefore, redaction tools can be used by “Red Teams,” leading to grave concerns for users.
Petro’s tool is just a proof-of-concept to share details of a possible technique to redact text, and the researcher has urged users to only rely on black bars to cover the text and never use fancy ways of redacting text.