Aral Balkan

3 years ago

Aral Balkan
3 years ago

Warning: There’s an app for blurring out sensitive information in images called Obfuscate being featured on #GNOME Software right now.

Please be careful.

The default blur setting can easily be reversed.

The default should be to replace the areas with a solid colour or a pattern not derived from the underlying information.

This really should not be a featured app in its current state.

#security #linux #apps #obfuscate

A code snippet with some text blurred out.

in reply to Aral Balkan

thm | tomáš א mládek

in reply to Aral Balkan 3 years ago

😬 This really should be common knowledge, I've seen lots of people make the same mistake.

Having this misfeature in a "featured app" is absolutely dangerous.

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan 3 years ago

For a visual example of how trivial it is to reverse such techniques, see hackaday.com/2022/02/23/pixela…

Pixelating Text Not A Good Idea

People have gotten much savvier about computer security in the last decade or so. Most people know that sending a document with sensitive information in it is a no-no, so many people try to redact …

^Hackaday

in reply to Aral Balkan

jan Ale

in reply to Aral Balkan 3 years ago

Contents of blur

extension

this.addEventListenerFile(filePath)

in reply to jan Ale

Aral Balkan

in reply to jan Ale 3 years ago

Contents of blur

Yep. (And yes, that’s an autocomplete corruption – the screenshot was from a bug report I filed for Helix Editor) :)

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan 3 years ago

Contents of blur

And, of course, thank you for the case in point :)

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan 3 years ago

Case it point, the text in my image was revealed by @janale about fifteen minutes after my original post.

toki.social/@janale/1083740420…

#GNOME #Obfuscate #security

jan ale (@janale@toki.social)

Content warning: Contents of blur

^toki.social

#security #gnome #obfuscate @jan Ale

in reply to Aral Balkan

Fernanda

in reply to Aral Balkan 3 years ago

I can't even...

in reply to Fernanda

Aral Balkan

in reply to Fernanda 3 years ago

Wow.

Just replied here:

gitlab.gnome.org/World/obfusca…

Security: Default obfuscation settings are not secure (#45) · Issues · World / Obfuscate

I love the idea and potential of this app. That said, its default settings currently are not secure. The blurred out text can easily be reversed.

^GitLab

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan 3 years ago

Right, the app’s developer has agreed to change the default tool to pure colour replacement (which is secure).

While he wants to keep the blur tool also (for non-sensitive stuff/aesthetic uses), I hope that he’ll be adding a warning to it when it is first used that alerts people not to use it for sensitive information and/or that the app description reflects that.

All in all, a positive development.

And now I can go back to coding…

in reply to Aral Balkan

was B (this is my old account)

in reply to Aral Balkan 3 years ago

it seems like this could be achieved more safely with a combined effect like pixelate first and then blur

in reply to Aral Balkan

Trisha Lynn 🇵🇭 🇺🇸 🇨🇦

in reply to Aral Balkan 3 years ago

Right on with you for pointing out a thing and the developer working on it "toot" de suite!

Unknown parent

Aral Balkan

Unknown parent 3 years ago

Well at least he came around eventually – that’s more than you can say for some folks :) It’s also understandable that folks become defensive sometimes when you criticise their baby. That said, all I really care about is that no one is hurt by revealing sensitive information about themselves. Fingers crossed this will be a quick update.

in reply to Aral Balkan

Fernanda

in reply to Aral Balkan 3 years ago

I really don't understand why the dev got so defensive at the point of denial, just say "I'll check this" even without planning to do anything would still have been a better first response.

in reply to Aral Balkan

nikomaru

in reply to Aral Balkan 3 years ago

or, now hear me out, use gimp?

in reply to Aral Balkan

🐦‍🔥nemo™🐦‍⬛ 🇺🇦

in reply to Aral Balkan 3 years ago

True folks should be very carefull

positive.security/blog/video-d…

nitter.unixfox.eu/mr_phrazer?c…

twitter.com/mr_phrazer

synthesis.to/

github.com/subeeshvasu/Awesome…

people.duke.edu/~sf59/TIP_Demo…

github.com/BishopFox/unredacte…

bishopfox.com/blog/unredacter-…

Never Use Text Pixelation To Redact Sensitive Information

See why you should never use pixelation for redacting text and why it is a surefire way to get your data leaked. Learn from security researcher Dan Petro.

^{Dan Petro (Bishop Fox)}

in reply to Aral Balkan

Fruitlov3r

in reply to Aral Balkan 3 years ago

what if you do it multiple times on the same spot?

⇧

Aral Balkan 3 years ago • •

Aral Balkan
3 years ago