When you use DPReview links to buy products, the site may earn a commission. Images: Nikon, C2PA Last week, Nikon released firmware v2. 0 for the Z6III, which brought support for C2PA Content Credentials alongside several other features.
Theoretically, the cryptographic signature should prove that an image was authentically captured with the camera, and that it hasn't been tampered with since its creation. However, DPReview forum user Horshack has found a way to get the camera to sign an image that it didn't actually take.
You should check out the thread for Horshack's (well-written, as per usual) explanation of how he did it. The summary is that it works by using the Z6III's Multiple Exposure feature. Nikon lets you select a photo as your base, and then stack multiple exposures on top of it. Horshack selected a Raw image taken by another Z6III without the content credentials feature enabled.
This image, created inauthentically, has Content Credentials that claim it was taken with a Z6III. Because it was. . . but only kind of.
Image: Horshack
He then took a multiple exposure picture with the lens cap closed. The result: the previously unsigned image, now with a Content Credential attached. If you put the JPEG into Adobe's Content Credential Inspect tool, it appears to be a perfectly normal image, signed as authentic by the Z6III.
When asked about the issue, Nikon told DPReview that "An investigation is currently ongoing," and said there is a notice to users that the service is currently in beta.
Horshack theorizes this trick would work even with a Z6III Raw file that had been modified to include, say, an AI-generated image. Stuffing another image into a Raw file isn't necessarily something you can do with standard software, but Horshack believes it could be done, thereby removing the need to take an authentic image in order to get a signed file.
The capture details section doesn't contain any information that the image was created by taking multiple exposures.
The trick isn't completely bulletproof. The image's EXIF data reports that it was created using multiple exposures, though Horshack also discovered that you may be able to edit an image's metadata fields without invalidating the content credential. A few fields, such as the camera's serial number, are stored within the credential itself, but most are not.
We attempted to edit a few metadata fields using exiftool, but each test we did resulted in Adobe's Content Credentials Inspect tool showing that it no longer had credentials.
I assumed Nikon wouldn't sign images taken with the feature
Horshack says he discovered the issue after trying to come up with ways the Content Credentials feature might fail. "When I thought of it I assumed Nikon wouldn't sign images taken with the feature, to prevent the outcome I achieved," he said.
With the Content Credentials being in beta, there were bound to be bugs; in fact, Horshack also seems to have figured out why some users had to wait several hours before their cameras started signing images. However, being able to use it to sign images taken under different conditions is a pretty big issue, one we hope that Nikon will iron out as soon as possible.
. dpreview.com2025-9-8 03:40
