Microsoft OneDrive for Business allegedly keeps OCR'ed data in an unprotected format

News
By published

Data stored an unsecured database on the host PC

OneDrive install on phone
(Image credit: Shutterstock)

It is not a secret that both Apple and Microsoft use optical character recognition (OCR) and image recognition for images stored on MacOS and Windows-based PCs to simplify search and enable other features. Security expert Brian Maloney, the author of the Malware Malone blog, claims that Microsoft's OneDrive for Business does the same for images it stores and then stores data it obtains from them in an unsecured database on the host PC. There are a couple of catches here.

Storing data locally for a cloud storage service is not a bad idea. It enables access to certain functions and some data offline and can potentially reduce transfers to and from the cloud, saving some money when using data roaming abroad. However, it appears that the data obtained from the images is stored in an unprotected format, meaning that if a perpetrator gets hold of the PC, they will be able to access that data by either removing the drive (assuming that it is not encrypted) and installing it into a different PC, or using a password.

"Would you be okay with Microsoft performing OCR on all of your saved OneDrive images, storing the OCR'd data in plain text locally, and making it accessible without administrative privileges," asked vx-underground.org in an X survey. "If you voted 'Yes' — your wish has come true! Microsoft performs OCR on all saved file images for OneDrive Business™! Any image saved with OneDrive is stored locally in an SQLite file (for offline mode, or something)."

Storing classified data in an unprotected format is not the best idea, mainly because we are dealing with the OneDrive for Business service, which is supposed to be secure. However, a couple of factors should be taken into account.

First up, business and commercial PCs tend to have robust security, and in most cases, they come with encrypted SSDs. Second, many expensive business machines use sophisticated fingerprint readers that cannot be easily deceived. Third, business desktops are not supposed to leave their premises, and the latter should be secure. So, while the whole situation does not look good, provided that the entire system is safe, perpetrators cannot easily use this potential exploit.

Anton Shilov
Anton Shilov
Contributing Writer

Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.

More about cyber security
GeForce RTX 3090

Akira ransomware can be cracked with 16 RTX 4090 GPUs in around ten hours — new counterattack breaks encryption
A broken lock on a PCB.

Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google
RTX 5070, RX 9070 XT, Arc B580

Real-world GPU prices cost up to twice the MSRP — a look at current FPS per dollar values
See more latest
5 Comments Comment from the forums
  • ynhockey
    OneDrive for Business actually has cheaper plans than the personal version, so it's used by many home users and small businesses who certainly don't have secure premises and advanced security policies. This is concerning indeed.
    Reply
  • bluvg
    I must be missing something. If the drive/volume isn't encrypted, the files themselves aren't encrypted locally, either. I guess if EFS or something similar were used, the images could be encrypted and the OCR data not, but that has little to do with OneDrive, and it's rarely used anyway from what I've seen.
    Reply
  • Alvar "Miles" Udell
    While the issue certainly needs to be fixed (just encrypting the SQL file), basic Bitlocker encryption should prevent this from being exploited.
    Reply
  • targetdrone
    So we are to believe Recall the copilot feature that records your screen is really encrypted and secure?
    Reply
  • Math Geek
    i've said it over and over and over again. THE ONLY WAY TO PROTECT YOUR DATA IS TO ENCRYPT IT YOURSELF!!!

    hoping any of these companies cares at all about you or yours is only asking for trouble. if you put it in the cloud, you best bet is to upload it encrypted. they can do what they want with it, but in the end it's nothing they can use, read, spy on or otherwise abuse while in their custody.

    anyone not doing this deserves what they get at this point. not like any of this is any kind of secret at this point.
    Reply
Most Popular
RTX 5070, RX 9070 XT, Arc B580
Real-world GPU prices cost up to twice the MSRP — a look at current FPS per dollar values
RX 9070 XT Sapphire
Lisa Su says Radeon RX 9070-series GPU sales are 10X higher than its predecessors — for the first week of availability
ASRock fixes AM5 motherboard by cleaning it
ASRock claims to fix 'burned out' AM5 motherboard by cleaning the socket
Zotac Gaming GeForce RTX 5090 AMP Extreme Infinity
Zotac raises RTX 5090 prices by 20% and seemingly eliminates MSRP models
project-g-assist-nvidia-geforce-rtx-ogimage
Nvidia releases public G-Assist in latest App to provide in-game AI assistance — also introduces DLSS custom scaling factors
ChatGPT Security
Some ChatGPT users are addicted and will suffer withdrawal symptoms if cut off, say researchers
Ryzen AI
AMD's Gorgon Point APU line-up breaks cover — Allegedly aiming for a 2026 launch
Intel
Pat Gelsinger supportive of Lip-Bu Tan, warns him about 'the short-termism of Wall Street'
TSMC
Producing wafers at TSMC Arizona is only 10% more expensive than in Taiwan: TechInsights
MagStor
MagStor unveils tape storage drive with Thunderbolt 5 interface for Macs