No 100% opacity with pixelize applied at image borders resulting in leakage of private information

[Photon89]

Hi,

I'm running shutter-0.93.1-1ubuntu1 on Ubuntu Xenial and there is a serious privacy issue with the pixelize tool when editing screenshots.

The pixelize tool is normally used to hide private information in screenshots, e.g. before sharing them with others online.

It's vital that any parts of the image the user puts a pixelize overlay on uses 100% opacity so no sensitive information the user want's to hide remains visible in the image after being saved.

When snapping a screenshot (as PNG file) and then editing the file, the pixelize overlay becomes kinda translucent as soon as parts of the pixelize rectangle touch the image border.

I can reproduce this issue even when the pixelize rectangle doesn't touch or go beyond the image area.

Sometimes you have to move the pixelize area a couple of times until you see that the subjacent content is still visible.

***** Nobody using the pixelize function expects that the overlay does leak content the user just tried to hide. This is serious.

Launchpad Details: #LP1690832 thermoman - 2017-05-15 14:56:27 +0000

[Photon89]

Attachment: Screenshot before being edited with Shutter

Launchpad Details: #LPC thermoman - 2017-05-15 14:56:27 +0000

[Photon89]

Attachment: shutter-editing.png

Launchpad Details: #LPC thermoman - 2017-05-15 14:56:43 +0000

[Photon89]

Attachment: shutter-saved.png

Launchpad Details: #LPC thermoman - 2017-05-15 14:57:02 +0000

[Photon89]

Nobody cares?

Launchpad Details: #LPC thermoman - 2017-06-07 06:50:29 +0000

[Photon89]

I tried to reproduce it but couldn't... Which version of imagemagick are you using?

Launchpad Details: #LPC Michael Kogan - 2017-06-07 09:10:21 +0000

[Photon89]

All packages installed with 'magick' in it's packagename are version

8:6.8.9.9-7ubuntu5.7

Here are steps to reproduce:

1. Take a snapshot of a window with shutter
   (terminal console or gedit with text entered,
   optimal with light text on dark background or vice versa)
2. Edit that snapshot inside shutter
3. Use the pixelize tool to draw a rectange on the image
4. Move/drag the pixelize rectangle so that the left and top edge of the rectangle
   touch the images left and top boundary.
5. Release mouse button
6. Drag rectangle a little bit to the left and to the top
   (so that the left and top edge of the rectangle isn't visible anymore
7. repeat step 5 to 6 until you can clearly see the text you're trying to hide after
   pixelize was applied.

Just tried to reproduce. Took me 10 seconds and 10-20 drags of the rectangle:

http://imgur.com/a/3v0Fx

Launchpad Details: #LPC thermoman - 2017-06-07 10:14:24 +0000

[Photon89]

Please note that using data-dependent operations in an attempt to obfuscate data is extremely dangerous:

http://fusion.kinja.com/um-bad-news-pixelating-or-blurring-doesnt-actually-wo-1793860362
https://dheera.net/projects/blur
http://cseweb.ucsd.edu/~saul/papers/pets16-redact.pdf

If you want to keep part of an image private use something that does not depend upon the underlying data. Be sure that you're not simply applying a black bar on a different layer, or changing colors of text or background, as those are also prone to failure. (Not really applicable to png but other file formats have multiple layers.)

http://blogs.adobe.com/security/2009/12/how_to_properly_redact_pdf_fil.html
https://apple.stackexchange.com/questions/22683/blacking-out-a-part-of-a-pdf-or-redaction-of-text

Thanks

Launchpad Details: #LPC Seth Arnold - 2017-06-07 23:33:53 +0000

[Photon89]

Unsubscribing ubuntu-security-sponsors since there is nothing here to sponsor.

Launchpad Details: #LPC Marc Deslauriers - 2017-06-13 19:45:07 +0000

[Photon89]

You are right, I could reproduce it. Since Shutter is not maintained any more I would advise you to use the censor tool (directly above the pixelize tool).

Launchpad Details: #LPC Michael Kogan - 2017-06-14 04:34:18 +0000

[limitedAtonement]

This is a duplicate of #218