Nikon has confirmed that it will revoke all C2PA certificates issued to date after a major vulnerability in its authenticity feature was uncovered.
The flaw, first detected by long-time Nikon Rumors contributor Horshack, showed that images could be fraudulently signed by Nikon’s new C2PA-enabled cameras, raising serious questions about digital provenance and image verification.
Nikon has now paused the service while it works on a fix, with further updates promised through the Nikon Imaging Cloud.
The vulnerability was demonstrated using a Nikon Z6 III, which had been enabled with C2PA certification. Horshack revealed that a so-called “imposter” Z6 III could produce a .NEF RAW file, later processed by the C2PA-enabled model, resulting in a signed JPEG. In one striking proof of concept, an AI-generated image of a pug flying a jet was encoded and signed, despite having no photographic provenance. This finding undermined Nikon’s new authenticity service, which was intended to provide photographers and institutions with secure proof of image origin.
To expose the weakness, Horshack created a NEF data encoder capable of converting standard digital files, such as TIFFs, into Nikon’s proprietary NEF format. These could then be embedded into a skeleton NEF from another camera and tricked into producing a signed output through the multi-exposure feature.
While initially used to demonstrate the flaw, Horshack has said he plans to release the encoder as open-source software, noting it has potential applications beyond this proof-of-concept, including custom composition grids and digital image effects.
In a targeted email to users, Nikon admitted the technical issue was discovered on September 4 in firmware version 2.00 for the Nikon Z6 III. The company apologized to early adopters, confirming that all certificates issued between the launch and suspension are now invalid.
Nikon made clear that the authenticity credentials attached to these images can no longer be used as proof of provenance, stressing its commitment to preventing recurrence and restoring trust in its systems.
The revocation of C2PA certificates marks a setback for Nikon, which had positioned the feature as a key step in fighting misinformation and AI-generated imagery. The company has promised to announce the resumption of service on the Nikon Imaging Cloud once the vulnerability is fixed and the framework is secure.
Until then, photographers relying on C2PA verification will need to wait for Nikon to deliver a more robust and trustworthy solution.
What are C2PA Content Credentials, and how could they save photography?
Author: Sebastian Oakley
Source: DigitalCameraWorld
Reviewed By: Editorial Team
