Cybersecurity researchers have found a significant security flaw. It exists in Microsoft’s OneDrive File Picker tool. If exploited, this flaw allows broad access. Websites could access a user’s entire cloud storage. This is much more than just selected files. The Oasis Research Team shared these findings. They said it stems from overly broad OAuth scopes. Misleading consent screens also contribute to the problem. These screens fail to clearly explain access extent. Several popular apps are potentially affected by this. ChatGPT, Slack, Trello, and ClickUp are examples. This is due to their integration with Microsoft’s service. The core issue is excessive permission requests.
The consent prompt users see is quite vague. It does not adequately convey the access level.
This situation exposes users to unexpected security risks. The lack of fine-grained OAuth scopes is critical. It makes it impossible for users to distinguish. They cannot tell malicious apps from legitimate ones. Legitimate apps might ask for excessive permissions. This happens simply because no secure alternative exists. Furthermore, the OAuth tokens are often stored insecurely. These tokens authorize access to the user’s data. They are frequently saved in browser session storage. Worryingly, they are stored in plaintext format there.
This adds another layer of considerable risk.
Another potential pitfall involves refresh tokens. Authorization workflows may also issue these special tokens. They grant an application ongoing, long-term access. This access is to the user’s valuable data. The application can get new access tokens. It does this without asking the user to log in again. This happens when the current token expires. Microsoft has acknowledged this serious problem. This acknowledgment followed a responsible disclosure process. However, a fix for the flaw is not yet available. In the interim, temporary measures are advised. Consider removing OneDrive OAuth uploads until a fix. Avoiding refresh tokens is also recommended.
The combination of these factors is dangerous. The lack of fine-grained scopes is one part. Microsoft’s vague user prompt is another significant part. This puts both personal and enterprise users at risk. This discovery reinforces several important security principles. Continuous vigilance in OAuth scope management is vital. Regular, thorough security assessments are also crucial. Proactive monitoring helps to protect sensitive user data. The flaw could have severe, widespread consequences. Customer data leakage is a major concern. Violations of compliance regulations are also possible. Users must be cautious about granted permissions.
Reference:
