By rssfeeds-admin The Vulnerability allows websites and applications to gain unauthorized access to a user’s complete OneDrive storage, far exceeding the intended permissions for specific file uploads.
2
The security researchers estimate that hundreds of popular applications are affected by this vulnerability, including widely-used platforms such as ChatGPT, Slack, Trello, and ClickUp.
This widespread adoption means millions of users may have unknowingly granted these applications excessive access to their personal and professional OneDrive content, creating significant privacy and security risks.
The OneDrive File Picker vulnerability stems from Microsoft’s implementation of OAuth permissions, which requests read access to an entire OneDrive account even when users intend to upload only a single file.
This occurs because Microsoft lacks fine-grained OAuth scopes that would allow more precise permission controls.
When users attempt to upload files through third-party applications using the OneDrive File Picker, they receive a consent prompt that uses vague and unclear language.
This ambiguous messaging fails to adequately communicate the extensive level of access being granted, leaving users vulnerable to unexpected security risks.
The broad permissions make it virtually impossible for users to distinguish between legitimate applications that require excessive permissions due to technical limitations and malicious applications intentionally seeking unauthorized access to all files.
The implications of this vulnerability extend beyond individual privacy concerns, as enterprise users face potential compliance violations and customer data leakage.
Organizations using affected applications may inadvertently expose sensitive corporate data stored in OneDrive accounts.
OneDrive Vulnerability
The vulnerability involves two primary technical issues that compound the security risk.
First, the OneDrive File Picker’s latest version (8.0) requires developers to handle authentication independently, typically using Microsoft’s Authentication Library (MSAL) with Authorization Flow protocols.
This implementation creates additional security vulnerabilities, as MSAL stores sensitive authentication tokens in browser session storage as plain text, making them accessible to malicious scripts or unauthorized access.
Furthermore, the Authorization Flow may issue Refresh Tokens that extend access periods, providing ongoing access to user data even after the initial file upload session concludes.
OpenAI, the company behind ChatGPT, currently uses version 8.0 of the OneDrive File Picker, highlighting how major technology companies are affected by these security flaws.
The combination of excessive permissions and insecure token storage creates a dangerous security environment that puts both personal and enterprise users at significant risk.
Mitigations
Following Oasis Security’s disclosure, Microsoft has acknowledged the vulnerability and indicated it is considering future improvements to better align OneDrive File Picker functionality with appropriate access requirements. However, no specific timeline for fixes has been announced.
In the interim, Oasis Security recommends several mitigation strategies for users and organizations.
Individual users should review third-party applications with OneDrive access through their Microsoft Account privacy settings and revoke unnecessary permissions.
Organizations can audit enterprise applications through the Entra Admin Center to identify and manage delegated permissions.
For developers, Oasis Security advises temporarily removing OneDrive upload functionality or implementing safer alternatives such as supporting view-only shared file links.
If removal isn’t feasible, developers should avoid using Refresh Tokens, securely store Access Tokens, and eliminate any existing Refresh Token storage to minimize ongoing security risks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Critical OneDrive Vulnerability Lets Websites Access All User Files appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.