Privacy Foundation Says Word Documents Can "Phone Home"

The Privacy Foundation released a detailed report on Wednesday outlining a method where Microsoft Word, Excel, and PowerPoint documents can be made to contain Web bugs--1 pixel by 1-pixel images that blend into the background of a document. According to the report, the bugs could be used notify tracking facilities when documents are used. In addition, the bugs could potentially read and write cookies normally used by Internet Explorer. The Privacy Foundation said the technology emerged in the "97" version of Microsoft Word, where image-related URLs could be embedded into a document in lieu of the actual image file.

Web bugs could be placed in a document through a few simple steps. In Word, a user would only need to select the "Insert", "Picture", and "From File" commands on the pull-down menus; enter the URL of the Web bug in the displayed dialog's "File Name" field; and then select the "Link to File" option. Documents that demonstrate these Web bugs are available from the Privacy Foundation's Web site:

The report goes on to state that the ability to bug a document includes bugging at the document level or at a paragraph level. For example, if a bugged paragraph were copied to another document the Web bug would then activate, thereby allowing a site to record that action. The Privacy Foundation imagines numerous uses for such technology, such as protecting copyrights and document distribution limitations, monitoring sensitive corporate documents for improper dissemination, or to help detection plagerism.

While there is little if any way to completely guard against the misuse of such technology, users can minimally disable the use of cookies within Microsoft Word, which minimize the actions a Web bug could take. In addition, security tools such as ZoneAlarm could be used to help warn users when unauthorized applications attempt to access restricted sites.

The Privacy Foundation openly acknowledged Barry Shell, Research Communications Editor at the Centre for Systems Science at Simon Fraser University in Burnaby, BC, Canada for his help. Shell discovered that Microsoft Word would access external sites under certain conditions and send that information to The Privacy Foundation.

Additional information about Web bugs is available on this Web site, as well as at The Privacy Foundation's Web site. In addition, Microsoft has released a document about this bug entitled "Cookies and Word Documents".

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.