Cybersecurity researchers have found a safety flaw in Microsoft’s OneDrive File Picker that, if efficiently exploited, might enable web sites to entry a consumer’s whole cloud storage content material, versus simply the recordsdata chosen for add by way of the device.
“This stems from overly broad OAuth scopes and deceptive consent screens that fail to obviously clarify the extent of entry being granted,” the Oasis Analysis Crew mentioned in a report shared with The Hacker Information. “This flaw might have extreme penalties, together with buyer information leakage and violation of compliance rules.”
It is assessed that a number of apps are affected, corresponding to ChatGPT, Slack, Trello, and ClickUp, given their integration with Microsoft’s cloud service.
The issue, Oasis mentioned, is the results of extreme permissions requested by the OneDrive File Picker, which seeks learn entry to your complete drive, even in instances solely a single file is uploaded as a result of absence of fine-grained OAuth scopes for OneDrive.
Compounding issues additional, the consent immediate customers are offered with previous to a file add is obscure and doesn’t adequately convey the extent of entry being granted, thereby exposing customers to sudden safety dangers.
“The dearth of fine-grained scopes makes it unattainable for customers to tell apart between malicious apps that concentrate on all recordsdata and bonafide apps that ask for extreme permissions just because there isn’t any different safe choice,” Oasis famous.
The New York-based safety firm additional identified that the OAuth tokens used to authorize entry are sometimes saved insecurely, including they’re saved within the browser’s session storage in plaintext format.
One other potential pitfall is that the authorization workflows might also contain issuing a refresh token, granting the applying ongoing entry to consumer information by permitting it to get new entry tokens with out having to ask the consumer to log in once more when the present token expires.
Following accountable disclosure, Microsoft has acknowledged the issue, though there isn’t any repair as but. Within the interim, it is price contemplating quickly eradicating the choice to add recordsdata utilizing OneDrive via OAuth till a safe different is in place. Alternately, it is suggested to keep away from utilizing refresh tokens and retailer entry tokens in a safe method and eliminate them when now not wanted.
When reached for remark, Microsoft mentioned: “We admire the partnership with Oasis safety in responsibly disclosing this concern. This system doesn’t meet our bar for quick servicing as a consumer should present consent to the applying earlier than any entry is allowed. We are going to think about enhancements to the expertise in a future launch.”
“The dearth of fine-grained OAuth scopes mixed with Microsoft’s obscure consumer immediate is a harmful mixture that places each private and enterprise customers in danger,” Oasis mentioned. “This discovery reinforces the significance of steady vigilance in OAuth scope administration, common safety assessments, and proactive monitoring to guard consumer information.”
(The story was up to date after publication to incorporate a response from Microsoft.)
