- The researchers found a flaw in Microsoft OneDrive Picker File
- The flaw draws in the absence of a grain oauth license
- Microsoft recognizes the defect, but has not yet corrected it
Vulnerability in the Microsoft OneDrive file selector has been found which could allow threat actors to access people’s cloud archives, experts warned.
Oasis security researchers discovered the defect and reported it to Microsoft, noting that the problem is in excessive authorizations that the file selector asks – including reading access to the whole player. The tool requires these authorizations because the Oauth glasses for OneDrive are not in fine grain.
File Picker is a tool in OneDrive that allows websites and applications to integrate directly into the cloud storage solution. In this way, users can manage their OneDrive account in a third -party interface, which leads to transparent access to files.
Read the calendar
“This stems from too wide oauth glasses and deceptive consent screens that fail to explain the extent of the access granted,” said the Oasis research team in a report.
“This flaw could have serious consequences, in particular the leakage of customer data and the violation of compliance regulations.”
Oasis also pointed out that a number of popular applications, such as Chatgpt, Trello or Slack, are also affected because they integrate in OneDrive.
The researchers also said that messaging, when downloading files, is not clear enough, which could mislead people thinking that their cloud storage solutions are secure.
“The absence of fine grain range allows users to distinguish between malicious applications that target all the files and legitimate applications that require excessive authorizations simply because there is no other secure option,” concluded Oasis.
If that was not enough, Oasis also said that Oauth tokens were often stored insquentively because they are saved in the session storage of the browser in clear text.
Microsoft would have recognized the problem, but did not return with a fix.
If you are afraid to expose your OneDrive storage, you may want to temporarily delete the option to download files using OneDrive via Oauth. You can also stop using fresh tokens and make sure you store more safe access tokens.
Via The Hacker News
