2

I've heard that opening a document in Microsoft Word can reveal the user's IP address (something to do with verifying certificates).

What does happen here? Are there any other ways (apart from the certificate verification) this can happen? Can this be prevented?

Samuel Shifterovich
  • 876
  • 9
  • 18
  • This is called a [web bug](https://www.cnet.com/uk/news/word-documents-susceptible-to-web-bug-infestation/) – paj28 Oct 03 '16 at 19:40

1 Answers1

6

Yes there are also other ways to do this as well.

What you are referring too is adding an invisible digital signature using your own certificate authority and tracking the signature checks. More information on signing a document with an invisible signature can be found here but again you'll also need to setup your own CA and monitor it's traffic:

https://support.office.com/en-us/article/Add-or-remove-a-digital-signature-in-Office-files-70d26dc9-be10-46f1-8efa-719c8b3f1a2d

Other ways this can happen occur when people leverage the scripting function within the document to make a call to a unique URL or DNS request to a unique host either or which then reveals the person who opens the documents publicly accessible external IP address. These can be embedded in different document types in a number of different ways and there are many commercial services which offer software just to do this. Likewise there are many penetration testing tools / red team exploitation tools for Word and other document types (.pdf's are more commonly exploited because these can in some cases also give an attacker a remote shell on the system where the document was opened).

https://www.intralinks.com/products/information-rights-management

http://arstechnica.com/security/2012/05/doctrackr-file-tracking-for-paranoid-people-by-paranoid-people/

https://www.immunityinc.com/products/canvas/

Can this be prevented. Yes but not easily you have to really lock your internal computers security down well and either have tight egress rules which don't allow traffic out or block the IP address(es) the documents want to call home too.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • 3
    You don't need a script or a signature. A simple embedding of a 1 pixel image from a managed server is plenty and is a technique used by a couple of tracking tools for Office. Opening the file triggers a get on the image which the server will log (assuming you are online of course). – Julian Knight Oct 03 '16 at 19:10
  • The ultimate protection is disabling any networking (unless the requests get into some kind of queue, then an OS like Tails would be ideal), right. – Samuel Shifterovich Oct 03 '16 at 19:48
  • @JulianKnight can you disable loading remote content in some Office software just like in e-mail clients? – Samuel Shifterovich Oct 03 '16 at 19:51
  • I *think* but am not certain that when loaded from an untrusted location it wont load them but otherwise I don't think so without turning up the security to the max which makes Office pretty well unusable for most people. – Julian Knight Oct 03 '16 at 19:59