Cybersecurity researchers have discovered a security flaw in Microsoft’s OneDrive File Picker that, if successfully exploited, could allow websites to access a user’s entire cloud storage content, as opposed to just the files selected for upload via the tool.
“This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted,” the Oasis Research Team said in a report shared with The Hacker News. “This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.”
It’s assessed that several apps are affected, such as ChatGPT, Slack, Trello, and , given their integration with Microsoft’s cloud service.
The problem, Oasis said, is the result of excessive permissions requested by the OneDrive File Picker, which seeks read access to the entire drive, even in cases only a single file is uploaded due to the absence of fine-grained OAuth scopes for OneDrive.
Compounding matters further, the consent prompt users are presented with prior to a file upload is vague and does not adequately convey the level of access being granted, thereby exposing users to unexpected security risks.
“The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option,” Oasis noted.
The New York-based security company further pointed out that the OAuth tokens used to authorize access are often stored insecurely, adding they are saved in the browser’s session storage in plaintext format.
Another potential pitfall is that the authorization workflows may also involve issuing a refresh token, granting the application ongoing access to user data by allowing it to get new access tokens without having to ask the user to log in again when the current token expires.
Following responsible disclosure, Microsoft has acknowledged the problem, although there is no fix as yet. In the interim, it’s worth considering temporarily removing the option to upload files using OneDrive through OAuth until a secure alternative is in place. Alternately, it’s advised to avoid using refresh tokens and store access tokens in a secure manner and get rid of them when no longer needed.
When reached for comment, Microsoft said: “We appreciate the partnership with Oasis security in responsibly disclosing this issue. This technique does not meet our bar for immediate servicing as a user must provide consent to the application before any access is allowed. We will consider improvements to the experience in a future release.”
“The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk,” Oasis said. “This discovery reinforces the importance of continuous vigilance in OAuth scope management, regular security assessments, and proactive monitoring to protect user data.”
(The story was updated after publication to include a response from Microsoft.)
