Microsoft OneDrive for Business allegedly keeps OCR'ed data in an unprotected format

News
By published

Data stored an unsecured database on the host PC

OneDrive install on phone
(Image credit: Shutterstock)

It is not a secret that both Apple and Microsoft use optical character recognition (OCR) and image recognition for images stored on MacOS and Windows-based PCs to simplify search and enable other features. Security expert Brian Maloney, the author of the Malware Malone blog, claims that Microsoft's OneDrive for Business does the same for images it stores and then stores data it obtains from them in an unsecured database on the host PC. There are a couple of catches here.

Storing data locally for a cloud storage service is not a bad idea. It enables access to certain functions and some data offline and can potentially reduce transfers to and from the cloud, saving some money when using data roaming abroad. However, it appears that the data obtained from the images is stored in an unprotected format, meaning that if a perpetrator gets hold of the PC, they will be able to access that data by either removing the drive (assuming that it is not encrypted) and installing it into a different PC, or using a password.

"Would you be okay with Microsoft performing OCR on all of your saved OneDrive images, storing the OCR'd data in plain text locally, and making it accessible without administrative privileges," asked vx-underground.org in an X survey. "If you voted 'Yes' — your wish has come true! Microsoft performs OCR on all saved file images for OneDrive Business™! Any image saved with OneDrive is stored locally in an SQLite file (for offline mode, or something)."

Storing classified data in an unprotected format is not the best idea, mainly because we are dealing with the OneDrive for Business service, which is supposed to be secure. However, a couple of factors should be taken into account.

First up, business and commercial PCs tend to have robust security, and in most cases, they come with encrypted SSDs. Second, many expensive business machines use sophisticated fingerprint readers that cannot be easily deceived. Third, business desktops are not supposed to leave their premises, and the latter should be secure. So, while the whole situation does not look good, provided that the entire system is safe, perpetrators cannot easily use this potential exploit.

Anton Shilov
Anton Shilov
Contributing Writer

Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.

More about cyber security
GeForce RTX 3090

Akira ransomware can be cracked with 16 RTX 4090 GPUs in around ten hours — new counterattack breaks encryption
A broken lock on a PCB.

Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google
AMD Ryzen 9000 CPU

Some Ryzen 7 9800X3D CPUs are allegedly dying prematurely — over 100 cases documented based on user feedback
See more latest
5 Comments Comment from the forums
  • ynhockey
    OneDrive for Business actually has cheaper plans than the personal version, so it's used by many home users and small businesses who certainly don't have secure premises and advanced security policies. This is concerning indeed.
    Reply
  • bluvg
    I must be missing something. If the drive/volume isn't encrypted, the files themselves aren't encrypted locally, either. I guess if EFS or something similar were used, the images could be encrypted and the OCR data not, but that has little to do with OneDrive, and it's rarely used anyway from what I've seen.
    Reply
  • Alvar "Miles" Udell
    While the issue certainly needs to be fixed (just encrypting the SQL file), basic Bitlocker encryption should prevent this from being exploited.
    Reply
  • targetdrone
    So we are to believe Recall the copilot feature that records your screen is really encrypted and secure?
    Reply
  • Math Geek
    i've said it over and over and over again. THE ONLY WAY TO PROTECT YOUR DATA IS TO ENCRYPT IT YOURSELF!!!

    hoping any of these companies cares at all about you or yours is only asking for trouble. if you put it in the cloud, you best bet is to upload it encrypted. they can do what they want with it, but in the end it's nothing they can use, read, spy on or otherwise abuse while in their custody.

    anyone not doing this deserves what they get at this point. not like any of this is any kind of secret at this point.
    Reply
Most Popular
AMD Ryzen 9000 CPU
Some Ryzen 7 9800X3D CPUs are allegedly dying prematurely — over 100 cases documented based on user feedback
Micron
Micron confirms memory price hikes as AI and data center demand surges
Acer Predator X32 X2
Acer Predator X32 X2 and X27U X1 gaming monitors debut with 240 Hz QD-OLED panels
Delidded AMD Ryzen 9 9950X3D gets tested
PC enthusiast delidded a 9950X3D using fishing line and a clothes iron
CrystalMark Retro 2.0.0 in action
CrystalMark Retro 2.0.0 brings retro benchmarking to systems from Windows 95 to Windows 11
GeForce RTX 4090
Game developers urge Nvidia RTX 30 and 40 series owners rollback to December 2024 driver after recent RTX 50-centric release issues
SMIC
Can Earthquake in Myanmar disrupt PC hardware production? Manufacturers are checking out
XPG Prime Anime
XPG Prime tuning app dumps 50GB of anime girl photos in Redditor's temp folder
Raspberry Pi
This Raspberry Pi Zero camera instantly prints photos using thermal paper
Torvalds doesn't like hdrtest
Linus Torvalds rages against ‘random turd files’ in Linux 6.15-rc1 directories