Publishing documents and sharing media on your website seems harmless at the surface level but lurking underneath could be the crux of your security program. Metadata stored on documents could be leaking information and aiding adversaries in attacking your organization.
In this context it’s data stored inside a document that provides information such as who created it, how it was created, and in some cases where it was created. Almost all office suites include metadata in some fashion, so if you haven’t heard of this before then you’re likely leaking information you may not intend to.
There are several ways to obtain metadata, but we’ve found the easiest option to do this at scale is to utilize open-source intelligence (OSINT) tools. For this example, we’ll use FOCA (Fingerprinting Organizations with Collected Archives) which is a tool that pulls metadata and hidden information from documents of a particular domain. The installation, prerequisites, and use of FOCA are already covered in their documentation so we’ll focus on what data we get back and how it could impact your organization.
Once you’ve ran FOCA at your targeted domain, downloaded the documents, extracted the metadata, and analyzed the metadata then you’ll start seeing the Metadata Summary populated with information. The type of data we see most helpful in our assessments are users, emails, software, and passwords.
In a recent external network assessment, we had failed to successfully password spray the client’s single factor login portal which was quite unusual given the large userbase. Upon inspecting the metadata we discovered a unique naming standard for their users. After reviewing the naming standard which consisted of a couple of specific letters followed by 3 numbers, we were able to create the entire possible userbase. Many avenues such as OWA and forgot password functions allow for username enumeration so essentially, we created the entire list of usernames in use within a few minutes. Upon password spraying those usernames we were able to successfully authenticate with over 30 user accounts utilizing weak passwords ([season][year]). But it doesn’t just stop there, attackers utilize this information for sophisticated phishing attacks or to customize malware that’s specific to the version of software in use.
Holistically, you should conduct periodic external network or OSINT assessments and review the metadata in all your documents regularly. There should be a company policy on document release which mandates scrubbing metadata from documents before publishing. For specific instructions on the removal of hidden data within Microsoft Suite documents you can refer to these steps which detail the use of the “Document Inspector”.