Back in April 2024, Microsoft announced a new feature coming to OneDrive for Business called Offline Mode. The feature allows you to continue to use the web version of OneDrive without an internet connection. It works by downloading your file metadata and running a web server (Microsoft.SharePoint.exe) located in Program Files\Microsoft Onedrive\<OneDrive_Version>\. Now, as many of you may already know, I dabble in OneDrive forensic artifacts so when I finally got the feature in December I started to poke around. I found some pretty interesting things in the database that drives Offline Mode.
The database in question is called Microsoft.LinkSync.db. It is located in %LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Business1\settings. This database contains the file metadata to help run Offline Mode. According to Microsofts own documentation,
"To accomplish this, a copy of your file metadata that powers OneDrive web app is securely stored locally on your device. These data on your device are only available to you. If someone else were to sign in on your device, these local data on the device wouldn't be available to them. We adhere to privacy guidelines outlined in the Microsoft Privacy Statement.
A secure local web server on your device handles the operations that you perform on your files, such as viewing, sorting, renaming, moving, and copying where traditionally these operations would need to be handled by the OneDrive cloud service. This results in fast and smooth interactions with your files like loading your files and folders, sorting, renaming, moving, renaming, and more. And all of these operations will continue to work even when you are offline, lose your internet connection, or run into a service disruption in the app."
I find this statement to not be true. How can this data be "securely stored" when there are no protections on the database? Microsoft.LinkSync.db is sitting there in an unecrypted state. I can grab this database and copy it to where ever I want, open it and view it. Even to another device. "these local data on the device wouldn't be available to them", I was able to access the database with an account with admin privileges and the data was available to me. Now I know you're saying but you had admin rights. True but according to Microsoft, it should not be available to me. Also, I'm not a hacker but I'm sure there are other ways to get to it. Lets take a peak at the data in this "securely stored" database that can be exfiled and read by anyone.
OCR data
In my quick look over of Microsoft.LinkSync.db, I came across a couple tables named list_<listID>_<siteID>_rows. One of them had a column named MediaServiceOCR. The data appears to be related to this feature. Nice feature, until recently, when the data is being stored locally, unsecured. Here is a small sample of the data:
But why should I be concerned. Not all of these images are stored locally, some can be online only. If someone were to start downloading images from the cloud, there would be traces in the Unified Audit Log (UAL). And if it were a lot of files, it would make some noise. So why not grab the database and not even touch OneDrive. Sound familiar (Recall)? The other issue with this is the user might not even realize that when they take a screenshot with something like Snipping tool, the default in Windows 11 is to save it to OneDrive whether they decided to save it or not. And there could be concerns about HIPAA and other regulations that need to be followed.
What other fun things can we find?
There is another table called site_<siteID>_users that, you guessed it, contains user information for your organization.
Along with all the usual things like file/folder names, paths, etc. I'm probably missing some things but again, this was a quick look.
What lead me to write this?
A couple days ago, SwiftOnSecurity posted a Tweet (yes I still call them that) that I had responded to.
This caught the attention of vx-underground. Even though they are more malware related, they like me for some reason.
It's just one poll but it looks like people don't want this data laying around unsecured. The collaboration with xv-underground lead to Smelly releasing a tool to "Tool designed to exfiltrate OneDrive Business OCR Data". In turn, I decided to release the python version of this I had been working on.
vx-underground OCRMe
Beercow OCRMe
I've done all I can to raise my concerns so I'll leave it up to the community to decide if this is truly a concern or not.
No comments:
Post a Comment