explaingit

bishopfox/unredacter

8,298TypeScriptAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A security research tool by Bishop Fox that proves pixelated text in screenshots can often be recovered, showing that pixelation is not a safe way to hide sensitive information in shared images.

Mindmap

mindmap
  root((unredacter))
    What it shows
      Pixelation is unsafe
      Text can be recovered
      Color averaging method
    How it works
      Match font rendering
      Compare pixel blocks
      Character by character
    Setup
      Node.js required
      npm install
      Local web app
    Use cases
      Security audits
      Redaction testing
      Research demos
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Demonstrate to a client or team that pixelating text in screenshots does not reliably protect sensitive information.

USE CASE 2

Attempt to recover pixelated text from a screenshot when you know the font and approximate pixel block size.

USE CASE 3

Test whether your organization's screen-redaction process is secure before publishing images with sensitive content.

Tech stack

TypeScriptNode.jsHTMLCSS

Getting it running

Difficulty · easy Time to first run · 30min

The hardest step is manually matching the CSS font, size, weight, and letter spacing to the original screenshot, this requires trial and error.

In plain English

Unredacter is a tool by Bishop Fox, a security research firm, that demonstrates why pixelation is not a reliable way to hide text in images. The project exists to show that pixelated text can often be recovered if you know a few things about the original, such as the font and the size of the pixel blocks used. The core idea is that pixelation averages the colors of nearby pixels together. If you know the font the text was set in and can replicate the rendering conditions closely enough, you can run every possible character through that same averaging process and compare the results to the pixelated image. The character whose averaged output most closely matches the target pixel block is likely the original character. Doing this across an entire word or sentence lets you reconstruct the original text. Using the tool is a manual process. You crop the image down to just the pixelated region, measure the pixel block size, and then painstakingly adjust CSS in a test HTML file to replicate how the original text would have rendered. Getting the font, letter spacing, word spacing, and font weight right is the hardest and most critical step. Once those settings match closely enough, you select a character set to try and press a button to start the comparison. The tool is written in TypeScript and runs as a local web app. Setup requires Node.js: run npm install and then npm start. The project author notes the process is rough around the edges and not built for general-purpose use. The README is brief, but a full technical writeup explaining the method is available on the Bishop Fox blog. If you are a security professional reviewing whether pixelation adequately protects sensitive information in screenshots or documents, this project gives a concrete answer: it does not.

Copy-paste prompts

Prompt 1
I have a screenshot with pixelated text and I know the font is Arial at 16px. Walk me through using Unredacter to attempt recovery of the original text.
Prompt 2
How do I set up Unredacter locally and configure the CSS in the test HTML file to match the original text rendering conditions?
Prompt 3
What conditions must be met for Unredacter to successfully recover pixelated text, and when will the recovery fail?
Open on GitHub → Explain another repo

← bishopfox on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.