Millions of users of Microsoft’s OneDrive may be unwittingly granting third-party web applications full access to their entire cloud storage, according to a recent report by researchers at Oasis Security. The issue arises from the OneDrive File Picker’s OAuth permissions, which fail to adequately limit app access to users’ content, instead allowing broad access to all files. Popular applications like Slack and Trello are among the hundreds affected by this vulnerability.
The researchers disclosed that, while users are prompted to provide consent before utilizing the OneDrive File Picker to upload files, the consent dialogue’s vague language does not clearly communicate the extent of the access being granted. This oversight leaves users vulnerable to data exposure and compliance violations as malicious actors could exploit this weakness to steal, modify, or encrypt confidential files stored in OneDrive, as highlighted in their report.
Oasis emphasized that the lack of fine-grained OAuth scopes for OneDrive means that any app utilizing the File Picker can potentially gain read access to the entire OneDrive account, compromising sensitive information. The security implications extend beyond unauthorized data access; it could also lead to compliance breaches if organizations depend on third-party apps without adequate oversight.
The latest version of OneDrive’s File Picker has raised additional concerns as it stores sensitive authentication tokens insecurely in browsers, making them susceptible to theft. Security experts warn that if these tokens are compromised, attackers could maintain long-term access to a user’s OneDrive files, exacerbating the risk of data breaches. Eric Schwake, a cybersecurity director at Salt Security, noted that if these vulnerabilities remain unaddressed, it could enable malicious actors to exploit such weaknesses effectively.
Microsoft has yet to respond to inquiries regarding the reported vulnerabilities but is noted to be aware and may consider improvements to address the issue. In the interim, cybersecurity experts recommend users limit sensitive data stored in OneDrive or deny unvetted app access to mitigate potential risks.