[German]The graphic processing program Gimp has a strange behaviour, that could cause serious privacy issues. If a user ‘cuts out’ an image section, to remove sensitive parts, these pixels are not deleted in the saved graphics file. Instead the pixels are only hidden by a transparency mask in an alpha channel. This can lead to the fact that supposedly removed (confidential) image contents can be restored, removing the alpha channel.
I became aware of this issue through a user hint in the discussion area of my German blog (thanks for that). Security expert Will Dormann took that up the in several tweets first after he became aware of the behavior.
Several apps (e.g. @GIMP_Official, @Apple Preview) do not actually delete content from images with an alpha channel. They simply create an alpha-channel tunnel through the content you think that you’re removing.
You may think you’ve removed content, but it’s just hidden. pic.twitter.com/vCWi80CH33
— Will Dormann (@wdormann) January 11, 2020
Dormann points out that the content of image sections will not be deleted by Gimp. Instead, an alpha channel is generated which hides the image section. If such an image is stored and uploaded to social media sites like Twitter, this can lead to the fact that the supposedly deleted but only hidden image sections could be made visible later.
On Gitlab there is a thread GIMP doesn’t properly remove image data when an alpha channel is supported which explains this in more detail. There are two issues that affect GIMP when working with an image with an alpha channel:
- When you save the image to a format that supports alpha (e.g. PNG), any “removed” picture information isn’t actually removed. GIMP simply adjusts the alpha channel to make a hole through the picture. From a UI perspective, the above picture sure seems that it has content removed. But in actuality, anybody can simply remove the alpha channel (e.g. with ImageMagick “convert” or other tools) and they will have the original, unredacted photo.
- When you save the image to a format that does not support alpha, but does support a thumbnail, that thumbnail also contains the unredacted picture. Possibly GIMP is removing the picture’s alpha channel to generate the image for the thumbnail? This is clear when using a tool that leverages an image’s thumbnail, e.g. the default Ubuntu file manager:
The whole thing is discussed on Gitlab – and German security researcher Hanno Böck has covered in this German laguage article at site Golem. The problem, the developers explain that this is the way it was intended and have closed the Dormann bug report about it.
This is something that annoys me colossally. I remember such fruitless discussions two decades ago, when I wrote 3 times a 1,000 pages book about OpenOffice.org. As a long time Word and WordPress user I became aware of several weaknesses in OpenOffice.org. But my proposals has been rejected an it seems that the developers even didn’t understand the beef of some simple questions. It’s the lock-in syndrome. At that the end I wrote the first book manuscript about OpenOffice.org with LaTex – and used Microsoft Word later for the 2nd and 3rd edition, how silly. The reason, why Linux is still facing 2-3 % market share on the desktop (I’m using Linux since 1993 from time to time).
The workaround given by the developers is a typical crutch: Paint a black bar over the area to be cut out and then cuts out. This makes the pixels black and fades them out via the alpha channel. If someone removes the alpha channel, he will only see the blackened image area. German site Golem gives some more hints on this topic in the article and has provided a help script for this topic.