[German]This article is about the OneDrive client that Microsoft delivers with Windows 10. The way, how Microsoft’s developers has implemented this client, leaves several vulnerabilities. Here are a few details about an investigation.
In the beginning was the word…
Microsoft provides a OneDrive client in Windows 10. According to Microsoft’s marketing, OneDrive should be used everywhere to save data on the cloud service of the same name. But how save is the client’s implementation? Also under the view, that ‘Windows 10 is the most secure Windows ever developed’ (not my words, it’s Microsoft’s saying).
After reading this article (I am planning a separate blog post about that topic), the idea for a blog post ‘investigating OneDrive client under the hood’ came up. Because I had some fragments of information about OneDrive and security issues found from Stefan Kanthak, who deals a lot with security issues. Stefan Kanthak has put me on cc to a mail, that says:
>A friend of mine has disabled OneDrive on Windows 10 because she didn’t want to use the service anymore.
Stefan Kanthak asked within this e-mail: Why did she even activate this junk? – and then he shot a volley of statements about the OneDrive client and its vulnerabilities to the poor recipient of the e-mail.
Note: Microsoft offers also an OneDrive for Business client within Office 365, which is in fact a different client. I haven’t examined this client. But at least the suspicion is obvious that it doesn’t look any different there.
Dude, don’t read the fucking “Designed for Windows” rules
I had already mentioned it in one or two of my German blog posts: When I look at the Windows development from Windows 8 onward, I’m missing the design basics that Microsoft once published in the early days of Windows 95 (I’ve translated the German edition of the Microsoft Press title Programming the Windows 95 User Interface (Microsoft programming series).
But there are many other documents that Microsoft once published for software developers. Even though I have since 25 years been out of software development, I found these guidelines very useful. However, this knowledge seems to have either been lost in Redmond, or has been outsourced to the company museum, or no longer fit into today’s development processes. Stefan Kanthak describes it a little more directly:
These Id***, who created this junk [the OneDrive client under Windows], ignore the MINIMAL specifications of the 23-year-old “Designed for Windows” guidelines.
They don’t install this Crapp under %ProgramFiles%, where it is safe from write access by users, but in the user profile of ANY user.
That was something I had already noticed, but I couldn’t make sense of it. In fact, the OneDrive client can be found (with all files) in each user profile under
It is indeed the case that a user (but also malware) has write access to this folder, i.e. can manipulate the OneDrive files at will. This approach has been frowned upon for 23 years according to the “Designed for Windows” guidelines. But the developers in Redmond probably don’t read such old things anymore – and the old experienced developers have been gone long ago. Another possible explanation can be found in Part 3 of the article series – then Microsoft would make bad compromises and as a Windows user one should draw his conclusions.
Unfortunately, the today’s story goes even further, and by no means more positive. Microsoft developers have made further mistakes, such as using outdated open source libraries which contains well known vulnerabilities. But this is part of part 2 of this article series.