Online Document Search Reveals Secrets

An anonymous reader writes "New Scientist is reporting that many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher. Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques." Update: 08/16 19:06 GMT by H : The story is originally from Crypto-gram, not New Scientist.

I thought this was common knowledge?

[26199]

Well, it is amongst people who object to being mailed Word documents, anyway. They're just a really bad format for publishing information in.

See Richard Stallman's [gnu.org] 'no-word-attachments' article, for example...

An Important Question

[linuxislandsucks]

How many word processing progreams do place hidden meta data within theri formats?

For example does OpenOffice/StarOffice and other open source programs have the saem security problem?

Re:P2P has be doing htis for a long itme

[ComaVN]

Indeed. Search for system.dat, user.dat or pwl on Kazaa, there are always some files found.

Although I cannot guess how many of those are honeypots.

True story.

[oni]

A sysadmin once sent me a form letter type thing with my new password in it. The username/password was a spreadsheet object and I was able to open it to see everyone's passwords. He changed them all when I pointed this out. BTW, why do people send email messages that just say "see attached file" and the attached file is a memo with some trival content that could have been the text of the email??

Anyway, I have to admit that I was also burned by word. I was in the habit of opening the last memo I wrote from the recent documents list and using it as the starting point for newer ones. At some point, I put a bunch of policy statements on a CD and was later told that everyone was reading the hidden text. Doh!

This was back in the days of office 97 I believe. I'm not sure if Office 2k or XP still have this feature/bug.

Job Recruiters

[Anonymous Coward]

I have received two such word documents from two seperate job recruiters. The actual companies looking for the employee were hidden in the document, as well as contact information for the person at the company. Screw the middle man

Re:I thought this was common knowledge?

[broken.data]

This is not limited to Word. This trick has been around for ages with PDF and everything else I can think of.

Hell, this is how slashdot figured out that the Microsoft Switch [slashdot.org] was a fake.

eh?

[DrSkwid]

google indexed PDF documents, it even turns them into HTML

of course you could always try http://searchpdf.adobe.com/

Now there's a way to search through more than a million summaries of Adobe(R) Portable Document Format (PDF) files on the Web. Your search results will allow you to see the summaries before deciding to view the original Adobe PDF.

My 2c.. and a terrible pun.

[zcat_NZ]

It's only going to get worse; google's really expanded on the number of File types [google.com] it indexes and caches.

One of my clients was recently caught out when google indexed private metadata she didn't know was still there, so I can well understand the gravity [google.com] of this situation.

Re:True story.

[homer_ca]

Saving Word to HTML gets rid of the hidden text, but it does still save Author information. I got this HTML spam where he saved a Word file to HTML and sent that as the message. Sure enough, the dumbass's real name was in the source as the author.

Don't worry

[ratfynk]

Gates and co will take care of all your sensitive info, very soon. With the help of the DMCA Sen. Fritz and MS servers we all will be so secure that no one other than MS and the right Government agencies will be able to unlock your lock online .docs. So smarten up bow to Redmond and pay up suckers! Its upgrade or lose mania time again can your business not afford the wonderfull new security thats coming? Good luck getting your secretaries to use anything other than MS orafice!

if anything, the opposite

[siskbc]

This will become a common way for 'big' corps to spy on 'small' corps (and individual users?), to find new ways to both screw them over, and appear 'omniscient'. They'll never (or rarely) get called on it. Meanwhile, anyone who tries to reveal information discovered in this way which is incriminating towards said big corps will get sued for being "hackers" and/or "terrorists".

Aside from the paranoia overtones, I still disagree. The tools for doing this are on the web. Right now. So in other words, a weapon has been released that is free and easy to use. If anything, this will help small, poor companies with no resources for industrial espionage get a little information out of people who don't know any better, including their large-company rivals. All they have to do is hire one of the celibate wonders that read slashdot, and they're in business.

DMCA violation?

[notcreative]

By using tools that break the "encryption" on, for examply, the Washington Post .pdf file mentioned in the article, isn't the researcher violating the DMCA? Isn't his whole project bragging about doing this, a la 2600?

I hope he remembers a few packs of cigarettes in order to buy himself a few nights of sleep in the Big House.

Re:My 2c.. and a terrible pun.

[randyest]

Whoa, that's very cool. I love it when I learn a new google goodie.

If you didn't try that 'gravity' link in the parent, check this out [google.com]. Google calculator -- takes input in standard algebraic format, and knows some variables and units too (such as "G" being the universal gravitational constant, "mass of earth", and "radius of earth"), so you can just use the variable name and google fills in the values, converts units as needed, and gives a numeric result. Nice.

However, unless I'm doing something wrong or they're stil updating, the known variables seem rather limited. ( population of china ) / ( surface are of earth) didn't work. Neither did ( 1 barleycorn ) / (1 mm).

Anyone have tips on this new google gem?

Didn't I already write about something similar?

[NewtonsLaw]

This isn't really new -- check out this story [com.com] I wrote for CNet/ZDNet over a year ago.

This not anything new.

[gnuforpresident2004]

This type of thing happens all the time but just with digital media but with other media also. People go through others garbage recreating shredded documents, camcorders catching people in the act, carbon paper, copying machines. You always need to be careful when dealing yours and others information.

UK govt caught out

[g_attrill]

This has happened to the UK government several [theregister.co.uk] times [computerbytesman.com]. The latter link shows whose sticky fingers were on the infamous "dodgy dossier".

Gareth

Word doc Cleaning Program?

[superyooser]

Does anybody know of a program that can clean up deleted info in Word docs? I'm thinking of something like Ad-Aware that scans for certain files, shows you possible security issues (supposedly deleted text, metadata in document properties, etc.), and asks you what action it should take (wipe out/edit text, delete file, etc.).

Re:Nothing New

[aengblom]

That is because the people who published the PDF were idiots.

And that makes you an idiot?

Yes, we were idiots. I work for the Post in a limited degree and we now have a sheet of paper on a quite visible bulletin board describing how we were idiots.

The .com folks who would post such a document are well aware to checkout if blacking it out was done correctly....now.