CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Email attachments can be pretty revealing

People routinely attach word processing documents to email messages without realizing that the attachments may reveal more than they ever intended.

    People routinely attach word processing documents to email messages without realizing that the attachments may reveal more than they ever intended.

    For example, law firms commonly attach legal contracts to email. But it's easy for documents from word processing programs, such as Microsoft Word, to contain material that was supposedly deleted.

    Kevin Lyda is a Unix programmer who said he recently received an employment contract in the form of an attached Word document. Since his computer didn't have a copy of Word, Lyda said he ran the attached file through "strings," a Unix utility that displays only the text characters in a file.

    He said he found that Word had saved within the file at least five previous versions of the same employment contract--including the terms that had been offered to previous job applicants.

    "It's the one time I've found a Microsoft product useful," Lyda quipped. "I discovered that my offer was quite competitive compared to others in the company. Only one person got a better bonus."

    The old versions of the document were probably retained because of Word's "Allow fast saves" feature. The feature can be turned on or off by clicking Tools, Options and then checking or unchecking the box that is found under the Save tab. Few Word users know this trick exists.

    The "fast save" feature tacks a record of each change onto the end of the computer file that is written. This cuts down on the time the program spends saving files. But it also retains older sections that may have been deleted from the visible document.

    Turning the feature off causes the program to rewrite each document from scratch, removing older wordings.

    But it's not just Word that can expose your darkest secrets to email recipients. A different problem affects any word processing program that permits revisions to a document to be highlighted, accepted and rejected.

    This feature, which in some programs is called "Track changes," allows several people to make edits to a document. A reviewer can then examine the document and accept or reject individual changes.

    But unfortunately, you may someday write, "The jerk wants the following changes"--and then find that "the jerk" found all the supposedly invisible revisions.

    In Word, for example, revisions like these remain in a document unless a person clicks the program's "Accept all" changes command.

    An unwitting Word user may simply turn off the "Highlight changes" feature. In that case, all comments and revisions remain in a document, waiting for a recipient to turn the feature back on.

    Avi Rubin, a correspondent of the security-oriented Risks Digest newsletter, said a single command in Word exposed the revisions in a contract sent to him by a lawyer.

    "We got a good look at the previous version of the contract," Rubin said, "as well as a bunch of comments and justifications that the lawyer wrote to his client."

    In extreme cases, documents made available on the Web can endanger lives.

    Last June, The New York Times posted on its Web site a classified CIA report on the 1953 overthrow of the government of Iran.

    To prevent reprisals against the coup plotters or their descendants, the newspaper's staff "blacked out" several names in the report, which had been scanned page by page.

    But the names were available to anyone with a graphical editing program. That's because the Times had drawn boxes over the sensitive names using Adobe Photoshop.

    As described by security site Cryptome, the black boxes the Times had drawn over the names could be removed using any similar program. Even halting a browser while it drew certain pages could reveal some of the names before the boxes were fully formed.

    The Times revised the pages on its Web site to eliminate the problem.

    When distributing sensitive documents, you may want to consider formatting them as HTML, as this Web format is much less likely to store old revisions. And for the truly paranoid, there's always plain text.

    Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.