Sunday, May 01, 2005

Security problems with hidden data in Acrobat PDF files

Issues related to "metadata" arise all the time for users of Microsoft Word, but it is pretty rare to hear about problems with Adobe's PDF format. Today, Slashdot is hosting a dicussion of an interesting incident in which a PDF version of the redacted and declassified US military report on the shooting of Italian Nicola Calipari actually contained the classified bits, which were "hidden text" and could be revealed with a simple "cut and paste" or using "Save as ..." in Acrobat Reader. Be careful about leaking confidential information with your PDFs, I guess.

Copy-and-Paste Reveals Classified U.S. Documents "Posted by CmdrTaco on Sunday May 01, @09:43AMfrom the hate-when-that-happens dept.cyclop writes "In March, U.S. troops in Iraq shot to death Nicola Calipari, the Italian intelligence agent that rescued the kidnapped journalist Giuliana Sgrena. U.S. commission on the incident produced a report which public version was censored for more than one third. Now Italian press is reporting that all confidential information in the report is available to the public, just by copying "hidden" text from the PDF and pasting it in a word processor (Italian). The uncensored report can now be directly downloaded (evil .DOC format, sorry)"

On a related note, I received a draft sub-license agreement to review from a client a few weeks ago. The licensor, who created the draft, probably didn't notice that it included loads of information using "track changes." When viewed with "final showing markup" in Word, it could be seen that the license was actually created by modifying a settlement agreement with the original licensor. The entire previous agreement was right there ... For goodness' sake, people, use a metadata scrubber!

UPDATE: You can download the original PDF file at It looks like they just drew black boxes over the text. About as effective as doing this.

1 comment: said...

I have heard through a couple techie friends that this is totally true and that adobe will not confirm or deny such allegations. I guess you can hide just about any types of data nowadays.
advice guy