By rssfeeds-admin The flaw, uncovered by the Oasis Security Research Team, stems from excessive OAuth permissions and insecure token management, raising urgent concerns for both individuals and enterprises.
Excessive Permissions:
The root of the issue lies in the OneDrive File Picker’s use of overly broad OAuth scopes.
OAuth is the industry-standard protocol that lets users grant third-party apps access to their data.
However, instead of limiting access to only the files a user selects for upload or sharing, the File Picker requests read (and sometimes write) permissions for the entire OneDrive account.
This design flaw means that when a user uploads a single document through a web app, that app can potentially read every file and folder in the user’s OneDrive.
The consent screen presented to users is unclear, failing to communicate the extent of access being granted clearly.
As a result, users may unknowingly expose sensitive documents, personal photos, or confidential enterprise data.
Unlike Google Drive, which offers file-specific OAuth scopes such as drive.file, or Dropbox, which avoids OAuth altogether in its file picker, Microsoft’s implementation does not allow for such granularity.
Insecure Storage of Sensitive Tokens
Beyond excessive permissions, the flaw is compounded by insecure storage of sensitive authentication tokens.
In the latest OneDrive File Picker (version 8.0), developers must handle authentication using the Microsoft Authentication Library (MSAL), which stores access tokens in the browser’s session storage as plain text.
If an attacker gains access to a user’s browser session, these tokens can be stolen, granting ongoing access to the user’s OneDrive.
The use of refresh tokens—long-lived credentials that allow apps to renew access without user intervention—further extends the risk window, potentially keeping OneDrive exposed for hours or longer.
Older versions (6.0–7.2) are even more vulnerable, having stored tokens in localStorage or URL fragments, both considered insecure practices by modern security standards.
Mitigation Steps and Recommendations
With hundreds of web applications integrating the OneDrive File Picker, Oasis Security estimates millions of users may be affected.
Microsoft has acknowledged the issue and is considering future improvements, but no fix is currently available.
For Individual Users:
- Review which apps have access to your OneDrive via Microsoft Account privacy settings.
- Revoke access for any unfamiliar or unnecessary apps.
- Be cautious when granting permissions through OAuth consent screens, and prefer apps that request only the minimum necessary access.
For Organizations:
- Use the Entra Admin Center to audit enterprise applications and their permissions.
- Enforce admin consent or conditional-access policies to block apps requesting more than
Files.Readthe scope. - Monitor Graph API and CASB logs for anomalous OneDrive access patterns.
For Developers:
- Avoid requesting the
offline_accessscope and using refresh tokens. - Store access tokens securely and dispose of them promptly.
- Consider alternative integration methods, such as supporting “view-only” shared file links, until Microsoft provides more granular OAuth scopes.
The Oasis Security Research Team continues to work with vendors and Microsoft to drive improvements in OAuth scope management and user transparency.
Until a fix is implemented, vigilance and careful review of third-party app permissions are essential to protect sensitive data stored in OneDrive.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The post Critical OneDrive Flaw Lets Malicious Websites Access All Your Files appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.