London: 020 0200 8142

What Can Cyber Thieves Do With Your Document Metadata?

Metadata and the Risks to your Security

Imagine the following scenario. A company not dissimilar to yours, let’s call it Thomson & Hardy Ltd, uploads a PDF of its product brochure to its website. It looks good, flawless in fact. Thomson & Hardy’s products are attractively set out, the copy word perfect. And why not, the business has a strict editorial quality control process, so it was rigorously checked before it was published.

But wait, something’s missing. An integral part of the document, the metadata, wasn’t subjected to the same scrutiny. Unlike everything else, it sailed through entirely unchecked. Now let’s fast forward a couple of days, until a cyber criminal, we’ll call him Mr Opportunist, downloads the glossy PDF brochure. What happens next is a by-product of the seemingly harmless disclosure of the metadata information included in the file.

Mr Opportunist isn’t interested in Thomson & Hardy’s products of course, he has a different goal in mind. He downloads the file, renames it test.pdf, and examines it. As shown in the screenshot below, he discovers that test.pdf was created using LibreOffice 5.1 and that the PDF version is 1.4.

Figure 1 Reading metadata with PDF Info

Armed with this juicy information including version numbers, our threat actor decides to obtain a shell access on the target as it seems the easiest way forward. As illustrated, a search is performed in Metasploit and one exact match is shown:

Figure 2 Searching for available exploits

While the vulnerability appears to target only OpenOffice, a deeper look reveals that this module can also be used for LibreOffice:

Figure 3 Confirming exploit validity

His next step is to configure the exploit to return a reverse shell upon successful execution of the payload:

Figure 4 Configuring the payload

This particular exploit requires the attacker to use social engineering to persuade someone at Thomson & Hardy to open a LibreOffice document. Since the PDF document was created using LibreOffice, there’s a good chance that at least one or two employees will use it. In the ideal scenario, everyone in the company will have it installed on their computers.

Mr Opportunist just has to think of a plausible reason, and ensure that he (or an accomplice) sounds convincing. He does a little research via LinkedIn and social media sites to identify Thomson & Hardy’s marketing staff and rings posing as a helpful user who has spotted an error with the brochure. Naturally, the marketing team want to rectify it quickly and are grateful to receive a copy of the PDF brochure with the error highlighted. An employee opens the file but it only displays a blank page on the screen:

Figure 5 The malicious document, as seen by the victim

In the background, Mr Opportunist receives a shell connection from the victim’s machine and achieves access to Thomson & Hardy’s network. In the absence of other robust security controls, he can now roam at will to do as he pleases for malicious or financial gain.

Figure 6 Reverse shell access

Metadata Risks Scenario Summary 

The key information disclosed through metadata in this case was the LibreOffice version. If it had been removed from the PDF document before it was published, it would have made the attack harder to execute. This exploit scenario is largely simplified, as in reality additional reconnaissance tasks would be necessary to turn a simple information disclosure into a complete compromise of the target (our fictitious Thomson & Hardy Ltd).

Further Good Reading on Metadata

INFOSEC INSTITUTE – MetaData and Information Security 

ForensicsWiki – Document Metadata Extraction

Microsoft – Remove hidden data and personal information by inspecting documents 

How To Prevent Metadata Information Disclosure

Ensure that all documents shared with external parties are sanitised and do not include information that may be helpful to attackers such as: software version numbers, author’s details including their username, direct telephone numbers and individual email addresses. If metadata must be attached to documents, it should be limited to generic information to reduce the attack surface.

Popular Microsoft Office and LibreOffice software allows users to remove some of the metadata quite easily. However, even when care is taken there will always be some metadata attached. In conclusion, the less the metadata says about the document, the harder it is for cyber criminals to use the extracted information for nefarious purposes.

For Perspective Risk’s expertise to protect your company, please click here to contact us.

We are Perspective Risk

  • Information security is crucial to every aspect of your business – operational efficiency, profitability, business continuity, customer confidence, brand loyalty, protection against fraud and meeting regulatory requirements.

    Our penetration testing, pen testing, pen tests and cyber security testing has proven time and time again to be an effective security assessment of business IT infrastructure.

    Perspective Risk provides in-depth security assessments, risk management and compliance solutions to help you keep your confidential information safe and your critical systems secure. We’re innovative, flexible and supportive, helping you through any information security issues to deliver real business benefits and excellent value.

  • Call Me

    Pop your details in below and we’ll be in touch soon!

    • This field is for validation purposes and should be left unchanged.

    ×
    Get Quote
    • This field is for validation purposes and should be left unchanged.
    ×