Online Document Search Reveals Secrets

An anonymous reader writes "New Scientist is reporting that many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher. Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques." Update: 08/16 19:06 GMT by H : The story is originally from Crypto-gram, not New Scientist.

I thought this was common knowledge?

[26199]

Well, it is amongst people who object to being mailed Word documents, anyway. They're just a really bad format for publishing information in.

See Richard Stallman's 'no-word-attachments' article, for example...

Re:I thought this was common knowledge?

[broken.data]

This is not limited to Word. This trick has been around for ages with PDF and everything else I can think of.

Hell, this is how slashdot figured out that the Microsoft Switch was a fake.

An Important Question

[linuxislandsucks]

How many word processing progreams do place hidden meta data within theri formats?

For example does OpenOffice/StarOffice and other open source programs have the saem security problem?

True story.

[oni]

A sysadmin once sent me a form letter type thing with my new password in it. The username/password was a spreadsheet object and I was able to open it to see everyone's passwords. He changed them all when I pointed this out. BTW, why do people send email messages that just say "see attached file" and the attached file is a memo with some trival content that could have been the text of the email??

Anyway, I have to admit that I was also burned by word. I was in the habit of opening the last memo I wrote from the recent documents list and using it as the starting point for newer ones. At some point, I put a bunch of policy statements on a CD and was later told that everyone was reading the hidden text. Doh!

This was back in the days of office 97 I believe. I'm not sure if Office 2k or XP still have this feature/bug.

Re:True story.

[homer_ca]

Saving Word to HTML gets rid of the hidden text, but it does still save Author information. I got this HTML spam where he saved a Word file to HTML and sent that as the message. Sure enough, the dumbass's real name was in the source as the author.

Job Recruiters

I have received two such word documents from two seperate job recruiters. The actual companies looking for the employee were hidden in the document, as well as contact information for the person at the company. Screw the middle man

My 2c.. and a terrible pun.

[zcat_NZ]

It's only going to get worse; google's really expanded on the number of File types it indexes and caches.

One of my clients was recently caught out when google indexed private metadata she didn't know was still there, so I can well understand the gravity of this situation.

DMCA violation?

[notcreative]

By using tools that break the "encryption" on, for examply, the Washington Post .pdf file mentioned in the article, isn't the researcher violating the DMCA? Isn't his whole project bragging about doing this, a la 2600?

I hope he remembers a few packs of cigarettes in order to buy himself a few nights of sleep in the Big House.

Didn't I already write about something similar?

[NewtonsLaw]

This isn't really new -- check out this story I wrote for CNet/ZDNet over a year ago.

UK govt caught out

[g_attrill]

This has happened to the UK government several times. The latter link shows whose sticky fingers were on the infamous "dodgy dossier".

Gareth