- Researchers found an error in Microsoft OneDrive File Picker
- The error stems in the lack of fine-grained OAuth permits
- Microsoft acknowledges the error but has not fixed it yet
A vulnerability has been found in Microsoft’s OneDrive File Picker, which could give threat actors access to people’s entire cloud archives, experts have warned.
Security researchers OASIS discovered the error and reported it to Microsoft and noted that the problem lies in excessive permissions that File Picker asks – including reading access to the entire drive. The tool asks for these permits as OAUTH-SCOPES TO ONDRIVE is not fine-grained.
File Picker is a tool in OneDrive that allows websites and applications to integrate directly with the cloud storage solution. In this way, users can manage their OneDrive account within a third-party interface, resulting in trouble-free file access.
Reading the calendar
“This stems from overly wide OAuth -scopes and misleading consent images that do not clearly explain the extent of access assigned,” explained the OASIS research team in a report.
“This error can have serious consequences, including leakage of customer data and violation of compliance rules.”
Oasis also emphasized that a number of popular apps, such as chatgpt, trello or slack, are also affected as they are integrated with OneDrive.
The researchers also said the messages when they upload files are not ready enough, which can mislead people to believe that their cloud storage solutions are safe.
“The lack of fine -grained extent makes it impossible for users to distinguish between malicious apps targeting all files and legitimate apps asking for excessive permissions simply because there is no other secure option,” OASIS concluded.
If that weren’t enough, Oasis also said Oauth -Tokens often kept uncertainly as they are stored in the browser’s session storage in Plaintext.
Microsoft has allegedly recognized the problem but has not returned with a patch yet.
If you are concerned about postponing your OneDrive storage, you may temporarily remove the possibility of uploading files using OneDrive through OAUTH. You can also stop using fresh tokens and make sure to save the access tok’s more securely.
Via Hacker the news
