Microsoft's OneDrive automatic synchronization unintentionally discloses confidential corporate data within SharePoint Online environments.
A recent study has highlighted a potential security vulnerability associated with Microsoft 365 OneDrive's automatic sync function, revealing the risk of large-scale disclosure of sensitive data and secrets. Although the specific organisation conducting the study remains unnamed, it focuses on researching such security vulnerabilities.
The study found that files saved locally, including sensitive ones like .env or .json files and spreadsheets named passwords.xlsx, are silently uploaded to the cloud, posing a threat to their confidentiality. This auto-sync functionality undermines a standard security best practice for developers, who store secrets in local .env files to avoid hardcoding them in source code.
PowerShell scripts, SQL dumps, and Word documents also frequently contain credentials, demonstrating that almost any file can become a security risk when automatically synced. For a compromised administrator account, the risk is even greater, as they can systematically search the entire SharePoint environment for sensitive data.
Once on SharePoint, these files are subject to the platform's sharing and access policies. This means that administrators can grant themselves permissions to read these synced files, making them accessible to a broader audience than intended.
The default auto-sync feature in Microsoft 365 OneDrive moves local files to SharePoint, posing a significant security risk. With Known Folder Move (KFM) enabled, supposedly local-only files are synced to SharePoint, making them discoverable across the entire Microsoft 365 tenant.
Attackers can automate searches for keywords like "password," "API key," or "token" to locate and exfiltrate secrets quickly. One in every five exposed secrets within an enterprise originates from files synced to SharePoint, according to Entro Security's research.
Specific file types, such as .env and .json files, are particularly likely to contain unencrypted secrets, according to Entro Security's research into enterprise environments. KFM automatically syncs important user folders like "Desktop" and "Documents" to OneDrive, which stores the data in SharePoint Online document libraries.
The silent nature of this auto-sync feature significantly expands the potential damage of a security breach. If an attacker compromises a single Microsoft 365 user account, they gain access not only to emails and applications but also to all the local files synced from the user's computer. Nearly one in five exposed secrets came from SharePoint, not due to a CVE, but because of Microsoft's everyday auto-sync feature.
To mitigate this risk, administrators can use Group Policy or Intune to disable the auto-sync feature where it is not necessary. Security teams should also implement solutions to continuously scan SharePoint environments for exposed secrets, detecting and remedying them before they can be exploited.
This risk is not limited to enterprise accounts; it also affects personal accounts on Windows 10 and 11. Therefore, it is essential for users to be aware of this security risk and take necessary precautions to protect their sensitive data.
Read also:
- Ford Pro Launches Customized Fleet Telematics and Dashboard Cameras
- Rapid Growth in Bio-based Polypropylene Sector Anticipated at a Compound Annual Growth Rate of 26.5% by 2034
- Potential Fire Hazards in U.S Power Grids Due to Artificial Intelligence Data Facilities
- Temperatures are escalating in the region, demanding an increase in our aspirations
