Aral Balkan

2 years ago • •

Aral Balkan
2 years ago • •

Warning: There’s an app for blurring out sensitive information in images called Obfuscate being featured on #GNOME Software right now.

Please be careful.

The default blur setting can easily be reversed.

The default should be to replace the areas with a solid colour or a pattern not derived from the underlying information.

This really should not be a featured app in its current state.

#security #linux #apps #obfuscate

A code snippet with some text blurred out.

in reply to Aral Balkan

thm | tomáš א mládek

in reply to Aral Balkan • 2 years ago • •

😬 This really should be common knowledge, I've seen lots of people make the same mistake.

Having this misfeature in a "featured app" is absolutely dangerous.

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan • 2 years ago • •

For a visual example of how trivial it is to reverse such techniques, see hackaday.com/2022/02/23/pixela…

Pixelating Text Not A Good Idea

People have gotten much savvier about computer security in the last decade or so. Most people know that sending a document with sensitive information in it is a no-no, so many people try to redact …

^Hackaday

in reply to Aral Balkan

jan ale

in reply to Aral Balkan • 2 years ago • •

Contents of blur

extension

this.addEventListenerFile(filePath)

in reply to jan ale

Aral Balkan

in reply to jan ale • 2 years ago • •

Contents of blur

Yep. (And yes, that’s an autocomplete corruption – the screenshot was from a bug report I filed for Helix Editor) :)

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan • 2 years ago • •

Contents of blur

And, of course, thank you for the case in point :)

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan • 2 years ago • •

Case it point, the text in my image was revealed by @janale about fifteen minutes after my original post.

toki.social/@janale/1083740420…

#GNOME #Obfuscate #security

jan ale (@janale@toki.social)

Content warning: Contents of blur

^toki.social

#security #gnome #obfuscate @jan ale

in reply to Aral Balkan

Fernanda

in reply to Aral Balkan • 2 years ago • •

I can't even...

in reply to Fernanda

Aral Balkan

in reply to Fernanda • 2 years ago • •

Wow.

Just replied here:

gitlab.gnome.org/World/obfusca…

Security: Default obfuscation settings are not secure (#45) · Issues · World / Obfuscate

I love the idea and potential of this app. That said, its default settings currently are not secure. The blurred out text can easily be reversed.

^GitLab

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan • 2 years ago • •

Right, the app’s developer has agreed to change the default tool to pure colour replacement (which is secure).

While he wants to keep the blur tool also (for non-sensitive stuff/aesthetic uses), I hope that he’ll be adding a warning to it when it is first used that alerts people not to use it for sensitive information and/or that the app description reflects that.

All in all, a positive development.

And now I can go back to coding…

in reply to Aral Balkan

was B (this is my old account)

in reply to Aral Balkan • 2 years ago • •

it seems like this could be achieved more safely with a combined effect like pixelate first and then blur

in reply to Aral Balkan

Trisha Lynn 🇵🇭 🇺🇸 🇨🇦

in reply to Aral Balkan • 2 years ago • •

Right on with you for pointing out a thing and the developer working on it "toot" de suite!

Unknown parent

Aral Balkan

Unknown parent • 2 years ago • •

Well at least he came around eventually – that’s more than you can say for some folks :) It’s also understandable that folks become defensive sometimes when you criticise their baby. That said, all I really care about is that no one is hurt by revealing sensitive information about themselves. Fingers crossed this will be a quick update.

in reply to Aral Balkan

Fernanda

in reply to Aral Balkan • 2 years ago • •

I really don't understand why the dev got so defensive at the point of denial, just say "I'll check this" even without planning to do anything would still have been a better first response.

in reply to Aral Balkan

nikomaru

in reply to Aral Balkan • 2 years ago • •

or, now hear me out, use gimp?

in reply to Aral Balkan

nemo™ 🇺🇦

in reply to Aral Balkan • 2 years ago • •

True folks should be very carefull

positive.security/blog/video-d…

nitter.unixfox.eu/mr_phrazer?c…

twitter.com/mr_phrazer

synthesis.to/

github.com/subeeshvasu/Awesome…

people.duke.edu/~sf59/TIP_Demo…

github.com/BishopFox/unredacte…

bishopfox.com/blog/unredacter-…

Never Use Text Pixelation To Redact Sensitive Information

See why you should never use pixelation for redacting text and why it is a surefire way to get your data leaked. Learn from security researcher Dan Petro.

^{Dan Petro (Bishop Fox)}

in reply to Aral Balkan

Fruitlov3r

in reply to Aral Balkan • 2 years ago • •

what if you do it multiple times on the same spot?

⇧