Potential vulnerability in Microsoft OneDrive's key feature, potentially putting user data at risk
Microsoft's OneDrive File Picker, a tool for seamless file access through third-party interfaces, has been identified to contain a vulnerability that could potentially expose users' entire cloud archives to threat actors.
Security researchers at Oasis discovered this flaw, which arises from the overly broad OAuth scopes and misleading consent screens. These issues fail to clearly explain the extent of access being granted, according to the Oasis Research Team's report.
The problem stems from the lack of fine-grained OAuth permissions in OneDrive, allowing the File Picker tool to request read access to the entire drive. Various popular apps such as ChatGPT, Trello, and Slack, which integrate with OneDrive, are also affected due to this issue.
To avoid potential data leakage and compliance violations, the Oasis Research Team advises users to take proactive steps to secure their OneDrive cloud storage. One approach is to temporarily remove the option for uploading files via OneDrive through OAuth. Additionally, users should opt for more secure storage methods for access tokens and be cautious of apps requesting excessive permissions.
Microsoft has acknowledged the issue but has not yet provided a fix. To further secure OneDrive, experts recommend implementing admin consent requirements, auditing and managing app permissions, enabling continuous access evaluation, using modern authentication and MFA, monitoring and adjusting policies, and educating users about the risks associated with OAuth permissions.
- The lack of proper cybersecurity measures, such as fine-grained OAuth permissions, in OneDrive's File Picker tool could potentially expose users' data to threat actors, as pointed out in the Oasis Research Team's report on the overly broad OAuth scopes and misleading consent screens.
- In light of the potential data-and-cloud-computing risks posed by apps like ChatGPT, Trello, and Slack integrating with OneDrive, users are advised to practice proactive cybersecurity by temporarily removing the option for uploading files via OneDrive through OAuth, opting for more secure storage methods for access tokens, and being cautious of apps requesting excessive permissions, as suggested by the Oasis Research Team.
