PseudoDNA: Identifying Critical Vulnerabilities in Microsoft's PhotoDNA

PseudoDNA: Identifying Critical Vulnerabilities in Microsoft’s PhotoDNA PseudoDNA Identifying Critical Vulnerabilities in Microsoft’s PhotoDNA Researchers from the COSIC group at KU Leuven have uncovered major security weaknesses in PhotoDNA , a technology widely used to detect Child Sexual Abuse Material (CSAM) online. The system is currently used by major platforms including Google, Instagram, TikTok, Facebook, and Microsoft, and is deployed at a global scale. The newly identified flaws could affect millions of users and raise concerns about the reliability of existing detection systems. About Key findings Policy implications Ethical considerations In the press Read paper About the research The study provides the first full mathematical description of the PhotoDNA algorithm and reveals structural weaknesses that could undermine the reliability of global CSAM detection systems. Today, billions of images are scanned every day using this technology to detect illegal content online. PhotoDNA, co-designed by Microsoft in 2009, is deployed by major technology companies and organizations including Microsoft, Google, and the U.S. National Center for Missing and Exploited Children (NCMEC). Despite its central role in online safety, its internal design had never been publicly documented until now. The researchers demonstrate that attackers can, within seconds, manipulate images shared by innocent users in ways that could lead to false accusations of distributing CSAM . At the same time, malicious actors can evade detection by subtly altering illicit content, enabling them to disseminate CSAM without being flagged or reported by existing detection systems . Key findings The research identifies several critical vulnerabilities. Click on one of the boxes below to explore the technical details and practical attack demonstrations. Detection evasion Illicit images can be minimally modified to avoid matching known CSAM hash values, allowing criminals to evade detection. Explore vulnerability → False positives Benign images can be manipulated to resemble the hash values of known CSAM, potentially leading to wrongful accusations. Explore vulnerability → Hash reversal Partial visual information can be reconstructed from a PhotoDNA hash value, contradicting longstanding claims that the hash is irreversible. Explore vulnerability → Collisions Two different high-quality images can be engineered to produce exactly the same PhotoDNA hash value. Explore vulnerability → All demonstrated attacks run in seconds or minutes on a standard laptop and achieve near-perfect success rates, representing a substantial improvement over previously known attacks. Both bypassing detection and triggering incorrect matches can be done quickly and reliably using ordinary computing resources. Policy implications These findings raise concerns for large-scale client-side scanning proposals, including versions of the EU’s “chat control” regulation . The researchers warn that deploying PhotoDNA-like systems on billions of devices could lead to information leakage, undetected CSAM, and false accusations due to the fragility of the underlying technology. The authors emphasize that the goal of this work is to strengthen protections for CSAM victims by encouraging more robust, transparent, and targeted detection mechanisms . Ethical considerations Given the sensitivity of the topic and the risk of abuse, it was decided to not fully publish all software and to omit minor technical details. The research team followed a coordinated vulnerability disclosure process with Microsoft that has included a discussion of mitigation strategies. In the press English Microsoft PhotoDNA is vulnerable to false positives and data leakage , by Bill Mann — Featured in: Cyber Insider Dutch Onderzoekers KU Leuven ontdekken ernstige beveiligingslekken in PhotoDNA van Microsoft , by Belga — Featured in: MSN Leuvense onderzoekers kraken tool van Microsoft om kinderpornografie op te sporen: "Risico op valse beschuldigingen" , by Roel Damiaans — Featured in: Het Belang van Limburg [Paywall] De tool die al 17 jaar gebruikt wordt om beelden van kindermisbruik op te sporen, blijkt lek: "Beelden kunnen gemanipuleerd worden voor onterechte beschuldigingen" , by Arthur De Meyer — Featured in: Nieuwsblad , Gazet van Antwerpen Onderzoekers vinden kwetsbaarheden in systeem dat kinderporno moet opsporen , by Els Bellens — Featured in: Trends DataNews Belgisch onderzoek legt bom onder AI voor bestrijden kindermisbruik: lekken in software die TikTok en Instagram gebruiken , by Kenneth Dée — Featured in: Het Laatste Nieuws [Paywall] French Une étude flamande révèle des failles de sécurité dans un logiciel réputé de Microsoft , by Belga — Featured in: RTBF , La Libre , La Dernière Heure Des chercheurs découvrent des failles dans un système de détection de contenus pédopornographiques , by Els Bellens — Featured in: Le Vif Une étude belge démontre que les logiciels IA censés protéger les mineurs sur TikTok et Instagram ne fonctionnent pas , by Kenneth Dée — Featured in: 7sur7 Le système mondial de détection d’images pédopornographiques en ligne est boiteux , by Philippe Laloux — Featured in: Le Soir Other "Gaps" in the system for detecting online child abuse images. , by VietnamPlus — Featured in: Vietnam.vn × False positive attack In a false positive attack, an attacker starts from a benign image and applies a minimal modification so that the resulting image is matched to the hash value of a completely different target image. In practice, the target image could be CSAM or any other illegal material. Starting from an unrelated benign image, an attacker can compute a very small modification so that the modified image is detected as if it were the target image. This creates a false positive: content that is not illegal may still be flagged as prohibited because its perceptual hash has been manipulated to resemble that of the target illegal content. Visual target (benign image) PhotoDNA Hash: [ 75, 94, 65, ..., 9, 99, 2 ] Hash target (illicit image) PhotoDNA Hash: [ 66, 54, 70, ..., 55, 119, 39 ] Generate false positive Generated modification PhotoDNA Hash: [ 75, 94, 65, ..., 9, 99, 2 ] × Detection evasion In a detection evasion attack, an attacker slightly modifies a chosen image to make its hash value significantly different from the original one, thereby evading detection In practice, the original image could be CSAM or any other illegal content. An attacker can then slightly modify this content so that it resembles an innocent image. This allows evading detection: illegal content is not flagged as prohibited because its perceptual hash value has been altered to differ from the original. Original image (illegal content) PhotoDNA Hash: [ 1, 1, 1, ..., 43, 48, 8 ] Evade detection (global changes) Modified image (global changes) PhotoDNA Hash: [ 1, 12, 0, ..., 46, 26, 19 ] Evade detection (local changes) Modified image (local changes) PhotoDNA Hash: [ 1, 99, 25, ..., 39, 43, 7 ] × Hash reversal In a hash reversal attack, an attacker tries to extract information about the original image from its hash value. In practice, the original image could contain privacy-sensitive information. An attacker can then extract this information by the hash value alone. Therefore, privacy cannot be guaranteed: access to the hash value allows for obtaining information. Target hash value Show original image PhotoDNA Hash: [ 1, 9, 4 ..., 68, 19, 76 ] Reverse hash Reconstructed image PhotoDNA Hash: [ 1, 9, 4 ..., 68, 19, 76 ] × Collision attack In a collision attack, an attacker modifies any two images of their choice so that they share the same hash value. In practice, this demonstrates how ineffective the algorithm is in distinguishing between visually similar and dissimilar images. Original image A PhotoDNA Hash: [ 22, 34, 30, ..., 57, 160, 53 ] Original image B PhotoDNA Hash: [ 23, 68, 62, ..., 49, 33, 60 ] Generate collision Collision image A Generated Hash: [ 32, 62, 52, ..., 61, 65, 54 ] Collision image B Generated Hash: [ 32, 62, 52, ..., 61, 65, 54 ]