A key Microsoft OneDrive feature has a worrying security flaw which could expose user data
You might want to pause uploading files using OneDrive through OAuth until Microsoft releases a fix.
- Researchers found a flaw in Microsoft OneDrive File Picker
- The flaw stems in the lack of fine-grained OAuth permissions
- Microsoft acknowledges the flaw, but hasn't fixed it yet
A vulnerability in Microsoft’s OneDrive File Picker has been found which could allow threat actors to access people’s entire cloud archives, experts have warned.
Security researchers Oasis discovered the flaw and reported it to Microsoft, noting the problem lies in excessive permissions that File Picker asks for - including read access to the entire drive. The tool asks for these permissions since the OAuth scopes for OneDrive aren’t fine-grained.
File Picker is a tool in OneDrive that allows websites and applications to integrate directly with the cloud storage solution. That way, users can manage their OneDrive account within a third-party interface, resulting in seamless file access.
Reading the calendar
"This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted," the Oasis Research Team explained in a report.
"This flaw could have severe consequences, including customer data leakage and violation of compliance regulations."
Oasis further stressed that a number of popular apps, such as ChatGPT, Trello, or Slack, are also affected, since they integrate with OneDrive.
The researchers also said that the messaging, when uploading files, isn’t clear enough, which could mislead people into thinking their cloud storage solutions are secure.
"The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option," Oasis concluded.
If that wasn’t enough, Oasis also said the OAuth tokens are often stored insecurely since they’re saved in the browser’s session storage in plaintext.
Microsoft has reportedly acknowledged the issue, but hasn’t come back with a patch just yet.
If you’re worried about exposing your OneDrive storage, you might want to temporarily remove the option to upload files using OneDrive through OAuth. You could also stop using fresh tokens and make sure to store access tokens more securely.
Via The Hacker News
You might also like
- Google warns of legit VPN apps being used to infect devices with malware
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
