Here is an update on the major vulnerability in Nikon’s C2PA feature, which a long-time NR reader and contributor, Horshack detected. Nikon has sent out a new notice, informing users that all C2PA certificates issued will be revoked. Here are the details:
In my recent major vulnerability post I had my C2PA-enabled Z6 III sign a photo from my non-C2PA “imposter” Z6 III. That was a photo of a screenshot, but I also claimed it should be possible to have the camera sign any digital image data I can stuff into the NEF.
Today that is a manifested reality.
I have written an NEF data encoder, which lets me to take a regular digital image file like a TIFF and encode it using Nikon’s proprietary NEF lossless compression. That encoded data can then be grafted on top of a skeleton NEF from my imposter Z6 III, which is used by my C2PA-enabled Z6 III to take a C2PA-signed jpg via the multi-exposure vulnerability.
To be clear, this is not a photo of a screenshot but a 1:1 digital copy of a source image that’s been encoded into an NEF compressed bayered format.
I present “Pug flying a commercial jet”, a Gemini-created and AI-upscaled image signed by my C2PA-enabled Z6 III:
And here is the C2PA online verifier report for the above image:
You’ll notice the image is monochrome / two-toned – right now I’m using a rudimentary image -> bayer conversion on the AI source image that doesn’t handle all the intricacies of proper color conversion. That’s not a limitation of my NEF data encoder – it fully encodes any RGGB source data fed to it – but instead me not having the time yet to implement the imaging pipeline for a high-quality full color conversion to feed the encoder.
Like most of the software I write I’ll be releasing my NEF encoder as open-source on my GitHub page. The encoder has many applications besides this C2PA proof-of-concept. For example, a few years ago I published a technique for using the multi-exposure feature to create custom composition grids. That required displaying the grid on the computer and taking a photo of the screen, which is less than ideal. With the NEF encoder those grids can now be digitally perfect. You could also use it to create photo borders, digital GND effects, etc…
Outside these practical uses the encoder also opens up research possibilities – for example, it could be used to create controlled image samples for developing and refining raw image processing software.
As I described previously online, Nikon would likely need to revoke the C2PA certificates already issued, to prevent images signed by the multi-exposure vulnerability from continuing to be validated, including after a fix is released.
Here is a targeted email Nikon sent out about an hour ago – I’ve bolded the relevant portion:
This email contains an important notice regarding services provided by Nikon Imaging Cloud.
It is being sent individually by Nikon Corporation to customers who have registered to use the Nikon Authenticity Service.
Thank you for using Nikon Imaging Cloud.
A technical issue was confirmed on September 4 with the provenance recording function, which complies with the C2PA standard and is included in the Nikon Authenticity Service provided in firmware version 2.00 for the Nikon Z6III (released on August 27, 2025). Nikon has since temporarily suspended the service while working diligently to resolve the issue.
Following the distribution of this email, the issuance of new certificates will be suspended in sequence. We sincerely regret that this issue affects customers like you who were among the first to explore this new feature. The digital certificates issued and loaded onto cameras during the period between the service launch and its suspension will be invalidated. Please be advised that the authenticity credentials attached to these images are no longer valid and cannot be used as proof of provenance.
We sincerely apologize for the inconvenience and concern this issue may have caused.
Nikon takes this matter very seriously and is committed to preventing recurrence and restoring trust in our services.
We will announce the resumption of the service on Nikon Imaging Cloud website once the issue has been resolved.
Check out this and this more technical posts on the same topic as well.
Major vulnerability in Nikon’s C2PA feature on the Z6 III detected by a reader?
