Cybersecurity researchers have discovered a security flaw in Microsoft’s OneDrive file picker. This allows the website to access the entire user’s cloud storage content, as opposed to only the files selected for uploading via the tool.
“This is due to a very broad OAUTH scope and misleading consent screen that cannot clearly explain the extent of access granted,” the report shared with Hacker News states that “cannot clearly explain the scope of access.” “This flaw can have serious consequences, including customer data leaks and violations of compliance regulations.”
Several apps, including ChatGpt, Slack, Trello and Clickup, are rated as being affected, considering integration with Microsoft’s cloud services.
According to Oasis, the problem is the result of the excessive privileges requested by the OneDrive file picker, which requires read access to the entire drive.
Adding even more compounding will result in a vague file upload, inability to properly communicate the level of access permitted, and the consent prompt user will be presented before exposing the user to unexpected security risks.
“Because of the lack of fine grain scope, users cannot distinguish between malicious apps that target all files and legitimate apps that require excessive permissions simply because they don’t have other secure options,” Oasis said.
The New York-based security company also added that the OAuth tokens used to grant access are often stored volatilely and stored in plain text format in the browser’s session storage.
Another potential pitfall is that the approval workflow involves issuing a refresh token and may include allowing applications to continue access to user data by allowing users to obtain new access tokens without asking users to log in again when the current token expires.
Following responsible disclosure, Microsoft has admitted the issue, but has not yet been fixed. In the interim, it is worth considering temporarily removing the option to upload files using OneDrive via Oauth until a secure alternative is set up. Alternatively, we recommend avoiding using refresh tokens, storing access tokens in a secure way and removing them when they are no longer needed.
The Hacker News reached out to Microsoft for further comment. If you’ve heard of it, I’ll update the story.
“The lack of fine-grained OAuth scope combined with Microsoft’s obscure user prompts is a dangerous combination that puts both individuals and business users at risk,” Oasis said. “This finding reinforces the importance of continuous vigilance in OAUTH scope management, regular security assessments, and proactive monitoring to protect user data.”
Source link
