For a long time, if you wanted to protect sensitive text in a document, you could use a scalpel or a pair of scissors. A marker pen would do the job if this didn't work. It is more difficult to redact documents now that they are digital. Black boxes are placed over text in PDF redactions.
National security can be put at risk when this redaction is done wrong. A team at the University of Illinois looked at the most popular redaction tools and found a lot of them wanting. A new attack method made it possible to extract secret information from the text.
There are flaws that aren't just theoretical. Thousands of documents that exposed people's names and other sensitive details were found after examining millions of publicly available documents with blacked out redactions. According to Bland, the paper's lead author, he provided the US court system with over 700 copies of trivial copy-paste style redactions.
Section of text that contains people's personal information is usually redacted by officials because they don't want to jeopardize an organization's interests. Information that could damage national security can be redacted in court documents.
The team analyzed 11 popular redaction tools. They discovered that PDFzorro and PDFescape Online gave full access to the text. The only thing they needed to do was copy and paste it. CVE numbers are used to catalog security vulnerabilities.
PDFzorro did not reply to WIRED. The tool was able to highlight PDFzorro redactions. The text can't be accessed if you click on an option to "lock" the PDF. A customer service representative from PDFescape Online said that the software has recently been acquired by a new company and that they have rolled out an update for PDFescape Online. They said that the redaction tool had been removed and would be reworked to be compliant.
The Illinois research is more than copying. A new way to attack PDF documents and use hidden fingerprints to reveal names has been demonstrated. Bland says that the team focused on names as they are often redacted. Researchers say it's not possible to unredact large blocks of text. The Edact-Ray tool can identify, break, and fix redaction information leaks.