Document metadata can be very useful on your own PC. Tag yourself as the author of a report, say, or enter some relevant details in its description, and the file should be much easier to find later.
When you need to share documents online, though, it’s a very different story. Without knowing it, you could be giving all kinds of information away to hackers: user names, network details, email addresses, software information and a whole lot more.
So does any of this apply to you? Manual checking is tedious, and could take a very long time – but fortunately, it isn’t necessary. FOCA Free is a simple tool that automates the process of checking any websites for metadata issues, and it’s both quick and easy to use.
To get started, all you have to do is click File > New Project, and enter the name and URL of the site you’d like to check. Then click the “Search All” button and FOCA will search Google, Bing and Exalead, looking for publicly-available documents that the search engines have indexed (formats supported include DOC, DOCX, PDF, PPT, PPS, XLS, XLSX, ODT, ODS, ODG, ODP and SVG, amongst others).
This generally doesn’t take long, and can in itself be a useful security check, as you might find the search engines have located documents that you didn’t think were available online. (Oops, time to check those folder permissions, maybe.)
If all is well, though, the next step is to right-click one of the files, select Download All, and watch as FOCA grabs local copies of each document. Which, of course, can be helpful for other reasons. If you want to grab all the PDF files on a particular site, say, then you don’t have to browse through endless pages, right-clicking – using FOCA is often much easier.
Once the downloads have finished, right-click one of the files again, select Extract All Metadata, and FOCA will analyse each document for you.
And then you’re finally able to browse the program’s report in the form of a Metadata Summary, which highlights everything it’s discovered.
There may be user names, of course, which could give away account names on your system. Internal URLs, network paths and printer names are commonplace, telling attackers more about your network structure. FOCA can sometimes uncover email addresses that you didn’t realise were being made public, and the program will almost always reveal a great deal about the software and operating systems that have been used to produce your documents. Which may seem relatively minor, but put all these details together and they can be of considerable assistance to anyone who’s planning an attack on your systems.
It’s a good idea to use FOCA Free to check your own website first, then, just to check for potential vulnerabilities. And if you discover any problems, then take the time to learn about metadata can be controlled by your applications.
In Office 2010, say, open a saved file, click File > Info > Check for Issues > Inspect Document > Inspect to find the hidden details in your documents, and remove them at a click. It only takes a moment, and by reducing the amount of exploitable data around you could be saving yourself a great deal of hassle later.
Your Comments & Opinion