Nikon revokes all C2PA image authenticity certificates after major vulnerability exposed

Nikon has confirmed that it will revoke all C2PA certificates issued to date after a major vulnerability in its authenticity feature was uncovered.

The flaw, first detected by long-time Nikon Rumors contributor Horshack, showed that images could be fraudulently signed by Nikon’s new C2PA-enabled cameras, raising serious questions about digital provenance and image verification.

Nikon has now paused the service while it works on a fix, with further updates promised through the Nikon Imaging Cloud.

Horshack Nikon Z6 III — (Image credit: Nikon Rumors / Horshack)

The vulnerability was demonstrated using a Nikon Z6 III, which had been enabled with C2PA certification. Horshack revealed that a so-called “imposter” Z6 III could produce a .NEF RAW file, later processed by the C2PA-enabled model, resulting in a signed JPEG. In one striking proof of concept, an AI-generated image of a pug flying a jet was encoded and signed, despite having no photographic provenance. This finding undermined Nikon’s new authenticity service, which was intended to provide photographers and institutions with secure proof of image origin.

To expose the weakness, Horshack created a NEF data encoder capable of converting standard digital files, such as TIFFs, into Nikon’s proprietary NEF format. These could then be embedded into a skeleton NEF from another camera and tricked into producing a signed output through the multi-exposure feature.

While initially used to demonstrate the flaw, Horshack has said he plans to release the encoder as open-source software, noting it has potential applications beyond this proof-of-concept, including custom composition grids and digital image effects.

In a targeted email to users, Nikon admitted the technical issue was discovered on September 4 in firmware version 2.00 for the Nikon Z6 III. The company apologized to early adopters, confirming that all certificates issued between the launch and suspension are now invalid.

Nikon made clear that the authenticity credentials attached to these images can no longer be used as proof of provenance, stressing its commitment to preventing recurrence and restoring trust in its systems.

The revocation of C2PA certificates marks a setback for Nikon, which had positioned the feature as a key step in fighting misinformation and AI-generated imagery. The company has promised to announce the resumption of service on the Nikon Imaging Cloud once the vulnerability is fixed and the framework is secure.

Until then, photographers relying on C2PA verification will need to wait for Nikon to deliver a more robust and trustworthy solution.

What are C2PA Content Credentials, and how could they save photography?

TOPICS

For nearly two decades Sebastian's work has been published internationally. Originally specializing in Equestrianism, his visuals have been used by the leading names in the equestrian industry such as The Fédération Equestre Internationale (FEI), The Jockey Club, Horse & Hound, and many more for various advertising campaigns, books, and pre/post-event highlights.

He is a Fellow of the Royal Society of Arts, holds a Foundation Degree in Equitation Science, and holds a Master of Arts in Publishing. He is a member of Nikon NPS and has been a Nikon user since his film days using a Nikon F5. He saw the digital transition with Nikon's D series cameras and is still, to this day, the youngest member to be elected into BEWA, the British Equestrian Writers' Association.

He is familiar with and shows great interest in 35mm, medium, and large-format photography, using products by Leica, Phase One, Hasselblad, Alpa, and Sinar. Sebastian has also used many cinema cameras from Sony, RED, ARRI, and everything in between. He now spends his spare time using his trusted Leica M-E or Leica M2, shooting Street/Documentary photography as he sees it, usually in Black and White.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.