"Redacted Documents Are Not as Secure as You Think"

According to researchers, popular redaction tools do not always work as intended, and new attacks can reveal hidden data. Since most documents are now digitized, securely redacting their contents has become more difficult. Most redactions by government officials and courts involve the placement of black boxes over text in PDFs. People's safety and national security can be jeopardized if done incorrectly. A new study from the University of Illinois looked at the most popular tools for redacting PDF documents and found that many of them fell short. Two of the most popular tools for redacting documents were found to provide no protection to the underlying text, making it accessible by copying and pasting it. Furthermore, a new attack method they devised allows them to extract secret details from the redacted text. The researchers discovered thousands of documents that exposed people's names and other sensitive details after examining millions of publicly available documents with blacked-out redactions, including those from the US court system, the US Office of the Inspector General (OIG), and Freedom of Information Act (FOIA) requests. Officials usually redact sections of text in documents because they contain people's personal information or because they believe the information should not be released to protect the interests of an organization. Names of confidential informants or whistleblowers may be redacted from court documents, and information that could harm national security if made public may be redacted from policy documents. The team examined 11 popular redaction tools during the new study, finding that PDFzorro and PDFescape Online enabled full access to allegedly redacted text. They only needed to copy and paste the text to gain access to it. The researchers registered Common Vulnerabilities and Exposures (CVE) numbers for both issues, which are used to catalog unique security vulnerabilities. During testing, they were able to access PDFzorro redactions by highlighting them, but the text cannot be accessed if you choose to "lock" the PDF before downloading it. The Illinois study goes beyond copying and pasting. It also shows a new way to attack PDF documents and use hidden fingerprints to reveal redacted names. The team focused on names because they are often redacted and sensitive. According to the researchers, it appears that large blocks of text cannot be unredacted. In order to reveal people's identities, the team created Edact-Ray, a tool that can detect, break, and repair redaction information leaks. This article continues to discuss findings from the study on the security of popular redaction tools.

Wired reports "Redacted Documents Are Not as Secure as You Think"