OneDrive File Picker Flaw Provides Apps Full Read Access Entire OneDrive
a year ago
- #OneDrive
- #DataPrivacy
- #Security
- Oasis Security discovered a flaw in Microsoft's OneDrive File Picker allowing websites to access a user’s entire OneDrive content, not just selected files.
- Affected apps include ChatGPT, Slack, Trello, and ClickUp, potentially exposing millions of users to data leakage and compliance violations.
- The flaw stems from excessive permissions due to lack of fine-grained OAuth scopes and vague user consent prompts.
- Insecure storage of sensitive secrets, like tokens in plain text in browser session storage, exacerbates the risk.
- Mitigation steps include reviewing granted app permissions, checking for OneDrive File Picker usage, and avoiding Refresh Tokens.
- Oasis recommends temporary removal of OneDrive upload options via OAuth until Microsoft provides a secure alternative.