It is not a secret that both Apple and Microsoft use optical character recognition (OCR) and image recognition for images stored on MacOS and Windows-based PCs to simplify search and enable other features. Security expert Brian Maloney, the author of the Malware Malone blog, claims that Microsoft's OneDrive for Business does the same for images it stores and then stores data it obtains from them in an unsecured database on the host PC. There are a couple of catches here.
Storing data locally for a cloud storage service is not a bad idea. It enables access to certain functions and some data offline and can potentially reduce transfers to and from the cloud, saving some money when using data roaming abroad. However, it appears that the data obtained from the images is stored in an unprotected format, meaning that if a perpetrator gets hold of the PC, they will be able to access that data by either removing the drive (assuming that it is not encrypted) and installing it into a different PC, or using a password.
"Would you be okay with Microsoft performing OCR on all of your saved OneDrive images, storing the OCR'd data in plain text locally, and making it accessible without administrative privileges," asked vx-underground.org in an X survey. "If you voted 'Yes' — your wish has come true! Microsoft performs OCR on all saved file images for OneDrive Business™! Any image saved with OneDrive is stored locally in an SQLite file (for offline mode, or something)."
Storing classified data in an unprotected format is not the best idea, mainly because we are dealing with the OneDrive for Business service, which is supposed to be secure. However, a couple of factors should be taken into account.
First up, business and commercial PCs tend to have robust security, and in most cases, they come with encrypted SSDs. Second, many expensive business machines use sophisticated fingerprint readers that cannot be easily deceived. Third, business desktops are not supposed to leave their premises, and the latter should be secure. So, while the whole situation does not look good, provided that the entire system is safe, perpetrators cannot easily use this potential exploit.
