Microsoft OneDrive for Business allegedly keeps OCR'ed data in an unprotected format
Data stored an unsecured database on the host PC

It is not a secret that both Apple and Microsoft use optical character recognition (OCR) and image recognition for images stored on MacOS and Windows-based PCs to simplify search and enable other features. Security expert Brian Maloney, the author of the Malware Malone blog, claims that Microsoft's OneDrive for Business does the same for images it stores and then stores data it obtains from them in an unsecured database on the host PC. There are a couple of catches here.
Storing data locally for a cloud storage service is not a bad idea. It enables access to certain functions and some data offline and can potentially reduce transfers to and from the cloud, saving some money when using data roaming abroad. However, it appears that the data obtained from the images is stored in an unprotected format, meaning that if a perpetrator gets hold of the PC, they will be able to access that data by either removing the drive (assuming that it is not encrypted) and installing it into a different PC, or using a password.
"Would you be okay with Microsoft performing OCR on all of your saved OneDrive images, storing the OCR'd data in plain text locally, and making it accessible without administrative privileges," asked vx-underground.org in an X survey. "If you voted 'Yes' — your wish has come true! Microsoft performs OCR on all saved file images for OneDrive Business™! Any image saved with OneDrive is stored locally in an SQLite file (for offline mode, or something)."
Storing classified data in an unprotected format is not the best idea, mainly because we are dealing with the OneDrive for Business service, which is supposed to be secure. However, a couple of factors should be taken into account.
First up, business and commercial PCs tend to have robust security, and in most cases, they come with encrypted SSDs. Second, many expensive business machines use sophisticated fingerprint readers that cannot be easily deceived. Third, business desktops are not supposed to leave their premises, and the latter should be secure. So, while the whole situation does not look good, provided that the entire system is safe, perpetrators cannot easily use this potential exploit.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.
-
ynhockey OneDrive for Business actually has cheaper plans than the personal version, so it's used by many home users and small businesses who certainly don't have secure premises and advanced security policies. This is concerning indeed.Reply -
bluvg I must be missing something. If the drive/volume isn't encrypted, the files themselves aren't encrypted locally, either. I guess if EFS or something similar were used, the images could be encrypted and the OCR data not, but that has little to do with OneDrive, and it's rarely used anyway from what I've seen.Reply -
Alvar "Miles" Udell While the issue certainly needs to be fixed (just encrypting the SQL file), basic Bitlocker encryption should prevent this from being exploited.Reply -
targetdrone So we are to believe Recall the copilot feature that records your screen is really encrypted and secure?Reply -
Math Geek i've said it over and over and over again. THE ONLY WAY TO PROTECT YOUR DATA IS TO ENCRYPT IT YOURSELF!!!Reply
hoping any of these companies cares at all about you or yours is only asking for trouble. if you put it in the cloud, you best bet is to upload it encrypted. they can do what they want with it, but in the end it's nothing they can use, read, spy on or otherwise abuse while in their custody.
anyone not doing this deserves what they get at this point. not like any of this is any kind of secret at this point.