Many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher.
Simon Byers, at AT&T鈥檚 research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques.
Sophisticated editing programs will often store information in a document file that the end user will not see. Storing recently deleted text can, for example, make editing a more efficient process. But Byers says it could also expose unaware users to significant risks.
Advertisement
In his report, Byers suggests that a crook could analyse electronic documents to gather information that could help them carry out corporate espionage or steal someone else鈥檚 identity to commit fraud.
鈥淚t is feasible that an individual may include their social security number on copies of a resume sent to prospective employers, but delete it from the version put online to guard against identify theft,鈥 Byers writes.
Random words
Using an ordinary online search engine and a random selection of keywords, Byers was able to find more than 100,000 Word documents including business documents and individual resumes. He chose to examine Word files because they are so common and stresses that other document formats can contain similar hidden information.
For example, in 2002 the Washington Post published a version of a letter sent by the Washington sniper in Adobe PDF format. Names and telephone numbers were visibly blacked out, but still found embedded in the file. However, Byers鈥檚 new research reveals how widespread such problems could be.
After downloading the Word files, Byers used the free software tools 鈥渁ntiword鈥 and 鈥渃atdoc鈥 to convert them to plain text. He then wrote a simple script to locate text that was not displayed in the original Word format. Byers discovered a wealth of deleted text and potentially sensitive information including people鈥檚 names, email headers, network paths and text from related documents.
Bruce Schneier, of US security consultants Counterpane, discusses the research in the latest edition of his computer newsletter Crypto-Gram, published on Friday. He says it raises an important risk with using some document formats. 鈥淭he worst is erased text,鈥 Schneier told 快猫短视频. 鈥淭his has bitten people surprisingly often.鈥
Blacked out
Neil Laver, UK group marketing manager for Microsoft Office products, says the software company is working to develop better ways for customers to ensure sensitive information is not inadvertently left in files.
He says hidden information can 鈥渋ncredibly useful鈥 in improving the functionality of the software. 鈥淏ut if some of that data is sensitive, there have to be ways of ensuring that it isn鈥檛 distributed where it shouldn鈥檛 be,鈥 he says.
The next edition of Office 2003 will include tools that will allow users to remove personal information from a document. It will also include new 鈥渋nformation rights management鈥 that will let an author specify who can read or forward a document.
Other software programs can already be used to strip concealed text from documents. But Schneier says for the time being it may be best to convert documents to plain ASCII text before publishing online. 鈥淚 don鈥檛 know of any programs that effectively clean out the extra text,鈥 he says.
Byers鈥 paper has been submitted for publication in the IEEE journal Security and Privacy.