Windows 10 and the OneDrive vulnerabilities – Part 1

[German]This article is about the OneDrive client that Microsoft delivers with Windows 10. The way, how Microsoft's developers has implemented this client, leaves several vulnerabilities. Here are a few details about an investigation.


In the beginning was the word…

Microsoft provides a OneDrive client in Windows 10. According to Microsoft's marketing, OneDrive should be used everywhere to save data on the cloud service of the same name. But how save is the client's implementation? Also under the view, that 'Windows 10 is the most secure Windows ever developed' (not my words, it's Microsoft's saying).

After reading this article (I am planning a separate blog post about that topic), the idea for a blog post 'investigating OneDrive client under the hood' came up. Because I had some fragments of information about OneDrive and security issues found from Stefan Kanthak, who deals a lot with security issues. Stefan Kanthak has put me on cc to a mail, that says:

>A friend of mine has disabled OneDrive on Windows 10 because she didn't want to use the service anymore.

Stefan Kanthak asked within this e-mail: Why did she even activate this junk? – and then he shot a volley of statements about the OneDrive client and its vulnerabilities to the poor recipient of the e-mail.

Note: Microsoft offers also an OneDrive for Business client within Office 365, which is in fact a different client. I haven't examined this client. But at least the suspicion is obvious that it doesn't look any different there.

Dude, don't read the fucking "Designed for Windows" rules

I had already mentioned it in one or two of my German blog posts: When I look at the Windows development from Windows 8 onward, I'm missing the design basics that Microsoft once published in the early days of Windows 95 (I've translated the German edition of the Microsoft Press title Programming the Windows 95 User Interface (Microsoft programming series).

But there are many other documents that Microsoft once published for software developers. Even though I have since 25 years been out of software development, I found these guidelines very useful. However, this knowledge seems to have either been lost in Redmond, or has been outsourced to the company museum, or no longer fit into today's development processes. Stefan Kanthak describes it a little more directly:


These Id***, who created this junk [the OneDrive client under Windows], ignore the MINIMAL specifications of the 23-year-old "Designed for Windows" guidelines.

They don't install this Crapp under %ProgramFiles%, where it is safe from write access by users, but in the user profile of ANY user.

That was something I had already noticed, but I couldn't make sense of it. In fact, the OneDrive client can be found (with all files) in each user profile under


(Click to zoom)

It is indeed the case that a user (but also malware) has write access to this folder, i.e. can manipulate the OneDrive files at will. This approach has been frowned upon for 23 years according to the "Designed for Windows" guidelines. But the developers  in Redmond probably don't read such old things anymore – and the old experienced developers have been gone long ago. Another possible explanation can be found in Part 3 of the article series – then Microsoft would make bad compromises and as a Windows user one should draw his conclusions.

Unfortunately, the today's story goes even further, and by no means more positive. Microsoft developers have made further mistakes, such as using outdated open source libraries which contains well known vulnerabilities. But this is part of part 2 of this article series.

Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3

Similar articles
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

3 Responses to Windows 10 and the OneDrive vulnerabilities – Part 1

  1. Crysta T Lacey says:

    I thought I would just mention, that both Google and Microsoft have made some very radical changes to each of there offerings to the point I won't have them anywhere near my Data Disk under Windows. I just plain don't trust them or their Engineers/Developers next iterations. Their Apps are both uninstalled.

    Therefore I went with a buffer that maintains constant access and would be easy to use with Total Commander by Christian GHISLER to maintain my own Tower Disk Copies as well as to update OneDrive and GDrive. That solution was Synology DSN on my NAS Paddock and one of their Apps that does both equally well. This provides the buffer I need against the foolishness(IMHO).

    Total Commander provides and Sychable Comparison that I run ever so often for me off of my Server Paddock(as opposed to a whole Farm). The Synology Apps have a short time frame two way(GDrive) and one way(OneDrive) synching. Onedrive is strictly Backup, where GDrive is a bit more dynamic.

  2. Rob Nicholson says:

    I was searching Google for "OneDrive crap" because I can't believe how Microsoft have still not sort out this critical tool. Thanks for the articles as it makes one feel a little better. Seriously though, I'm going to scream the next time OneDrive restores previously deleted files/folders. The synchronisation algorithm is fundamentally broken – certainly compared to Dropbox and Google drive. As IT support, I often logon to a client's laptop using my Office 365 account after several months/weeks since last logging on. OneDrive frequently restores files & folders that I have deleted since logging onto that device. So bad, that I'm now regularly going into the ransomware restore function to restore OneDrive when this happens. I also have a VM running on my server at home that's continually backing up my OneDrive folder every time there is a change into a backup system where I can restore back to a point in time.

    This *never* happens with Google Drive or Dropbox – and I have accounts with them where I frequently logon on after a long time.

    I'm flabbergasted that this problem isn't more well-known :-(

  3. PissedAtOneDrive says:

    Onedrive is still maliciously remapping folders to the point that second it gets authorized and logged in your computer it redirects all folders and functions to pass through onedrive so your top of the line computer just a portal to the OneDrive servers and your files are now defacto theirs. 30gigs not enough space? Well pay us to add more space because if you try to tell OneDrive to stop synching a folder that must mean you don't want those files and since your computer is just a portal now and not actually your property anymore *WHOOSH* they're gone, forever. Hope you didn't need those precious pics of grandma before she died cause they no longer exist and Microsoft couldn't care less. The way they set up this program isn't just the definition of user unfriendly, it's fucking hostile.

Leave a Reply

Your email address will not be published. Required fields are marked *