Flaw in Microsoft’s OneDrive Offline Mode Stores OCR Data Insecurely

Cybersecurity experts warn that Microsoft’s OneDrive Offline Mode leaves sensitive OCR data vulnerable in unprotected local databases.

Microsoft is facing criticism from cybersecurity experts over its handling of sensitive data in OneDrive for Business.

Research reveals that the service stores optical character recognition (OCR) metadata extracted from images in an unprotected format on users’ devices.

This discovery raises questions about the security and privacy of Microsoft’s widely-used cloud storage service, especially for enterprise customers who rely on it to manage sensitive data.

The issue came to light through an investigation by cybersecurity expert Brian Maloney, known for his detailed forensic analyses published on his blog.

Related: Critical Microsoft MFA Loophole Exposed Millions of User Accounts

Maloney discovered that OCR data, along with other metadata, is stored in an SQLite database named Microsoft.LinkSync.db within OneDrive’s Offline Mode feature.

This database, located in the user’s local storage, is not encrypted, making it accessible to anyone with physical or administrative access to the device. “How can this data be ‘securely stored’ when there are no protections on the database?”, Maloney wrote in his analysis. “I can grab this database and copy it to where ever I want, open it and view it. Even to another device.”

The lack of encryption poses a significant risk to enterprise users, many of whom operate under strict regulatory requirements such as HIPAA in healthcare or GDPR in the European Union.

The unprotected OCR data could include sensitive information extracted from scanned contracts, invoices, or other confidential documents, potentially leading to compliance violations or data breaches.

Related: Amazon Stopped $1 Billion Microsoft 365 Rollout Over Cybersecurity Concerns

Offline Mode and Its Unintended Risks

OneDrive’s Offline Mode was announced in late 2023, with general availability rolling out in 2024. The feature was designed to allow users to manage files, including viewing, sorting, renaming, and copying, without needing an internet connection. This is achieved by storing file metadata locally, ensuring faster access to files during outages or disruptions.

Microsoft described the feature as a productivity enhancement. According to its official documentation, “To accomplish this, a copy of your file metadata that powers OneDrive web app is securely stored locally on your device. These data on your device are only available to you.”

However, Maloney’s findings directly contradict these claims. His analysis revealed that the database containing metadata, including OCR data, is neither encrypted nor protected by sufficient access controls.

Further amplifying the concerns, vx-underground.org, a prominent cybersecurity research group, shared Maloney’s findings on X (formerly Twitter), stating, “Would you be okay with Microsoft performing OCR on all of your saved OneDrive images, storing the OCR’d data in plain text locally, and making it accessible without administrative privileges? If you voted ‘Yes’—your wish has come true!”

The group highlighted how attackers could bypass cloud security measures by directly accessing the unprotected local database. Since such actions would not appear in the Unified Audit Log (UAL)—Microsoft 365’s logging system for user and system activities—these breaches could remain undetected.

Compliance and Security Concerns for Businesses

The unencrypted local storage of OCR data is particularly alarming for enterprise users who rely on OneDrive for Business to manage and store sensitive documents. Industries such as healthcare, finance, and legal services are bound by stringent data protection laws, making any potential exposure of client or patient information a serious issue.

Maloney pointed out another related vulnerability: the default behavior of Windows 11’s Snipping Tool, which automatically saves screenshots to OneDrive. This feature could inadvertently upload sensitive information to the unprotected database.

“And the user might not even realize that when they take a screenshot with something like Snipping tool, the default in Windows 11 is to save it to OneDrive whether they decided to save it or not,” Maloney noted. Such practices could create compliance risks for organizations subject to data privacy regulations.

While many enterprise devices employ security features like encrypted drives, biometric authentication, and secure premises, these safeguards are undermined if sensitive data is stored locally in an unencrypted format. Attackers who gain access to a device could extract the SQLite database and view its contents without needing to breach OneDrive’s cloud infrastructure.

Microsoft’s history of introducing AI-driven features to OneDrive, such as advanced search and file organization tools, further complicates the narrative. While these innovations enhance usability, they also introduce new challenges in ensuring the security of locally stored data.

The timing of these revelations coincides with Microsoft’s broader push to integrate artificial intelligence into its products, including upcoming AI-driven tools for OneDrive set to launch in 2025. However, the security concerns raised by Maloney and others suggest that the company’s focus on innovation may be overshadowing fundamental issues of data protection.

Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x