CIA tracked leakers with hilariously bad Web beacon trick

WikiLeaks finds the spooks' work experience kids' Scribbles

Web beacons are objects such as transparent, single-pixel GIFs planted in emails and web pages to phone-home when users access the content. They're trivially easy to expose – simply forcing an e-mail client to show URLs instead of links can do the trick.

In the case of the CIA's “Scribbles” program, WikiLeaks is trumpeting a user manual telling spooks how to plant beacons in Word files – the idea being to snag leakers by seeing the IP address of machines on which a document was opened.

The bugs would only put a leaker at risk if they were using Microsoft Office, and if they or their sysadmins had configured it to accept remote images (something this Microsoft article, for example, says is turned off by default since at least Outlook 2007).

Microsoft told Kaspersky's Threatpost Office 2013 and Office 365 similarly protects users, since documents are by default opened in Protected View.

If, for some reason, the user was using OpenOffice or LibreOffice to open documents, the WikiLeaks post warns that the watermark and target URL “may be visible to the end user”.

Similarly, if the documents were locked forms, or if users were passing them around encrypted or password-protected, tracking didn't work.

If you really want to read the pearl-clutching release from WikiLeaks, it's here. ®


Biting the hand that feeds IT © 1998–2017