Microsoft OneDrive File Picker Vulnerability Exposes Users’ Entire Cloud Storage to Websites
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security flaw in Microsoft’s OneDrive File Picker has exposed millions of users to unauthorized data access, allowing third-party web applications to gain complete access to users’ entire OneDrive storage rather than just selected files.
Security researchers from Oasis Security reported on May 28, 2025, that this vulnerability stems from overly broad OAuth scopes and misleading consent screens that fail to communicate the extent of access being granted clearly.
The OneDrive File Picker flaw affects hundreds of widely used web applications, including ChatGPT, Slack, Trello, and ClickUp, potentially putting millions of users at risk.
OneDrive File Picker Vulnerability
The vulnerability arises from the picker’s implementation of insufficient OAuth scope granularity, which requests broad File Access.Read.All or Files.ReadWrite.All permissions even when users intend to upload or share a single file.
Unlike competitors such as Google Drive, which offers fine-grained OAuth scopes like drive.file to restrict access to app-created or user-selected files, Microsoft’s implementation grants unrestricted access to all OneDrive content.
Dropbox employs an even more secure approach with its Chooser SDK, using a proprietary endpoint that avoids OAuth flows entirely.
The consent dialog presented to users is particularly problematic, as it doesn’t convey that a click grants the integrator access to every file and folder in the user’s OneDrive, not just the document they intended to share.
Insecure token storage practices across different versions of the OneDrive File Picker compound the security risks, reads the Oasis Security report.
Older versions (6.0-7.2) used implicit authentication flows that exposed sensitive access tokens in URL fragments or stored them insecurely in browser localStorage.
The latest version (8.0) requires developers to handle authentication using the Microsoft Authentication Library (MSAL), but still stores tokens in session storage in plain text.
MSAL’s Authorization Flow implementation creates additional vulnerabilities by potentially issuing Refresh Tokens that extend access periods beyond the typical one-hour token expiration.
These long-lived tokens, when cached in localStorage or backend databases without encryption, create persistent attack vectors for malicious actors to access entire OneDrive repositories.
The technical implementation requires developers to request permissions such as MyFiles.Read, Sites.Read.All, or Files.ReadWrite.All through delegated permissions, but the lack of file-scoped permissions makes it impossible to limit access to specific documents.
Microsoft Response
Microsoft has acknowledged the security report and indicated it “may consider improvements in the future,” though no specific timeline has been provided.
Security experts recommend immediate action from both users and organizations to mitigate risks.
For individual users, experts advise reviewing third-party app access through Microsoft Account privacy settings and revoking unnecessary permissions.
Organizations should implement admin consent policies or conditional-access controls that block applications requesting anything beyond Files.Read permissions.
Web application developers are urged to avoid requesting offline access scopes that generate Refresh Tokens and to implement secure token storage practices.
Additionally, security teams should monitor Graph API and Cloud Access Security Broker (CASB) logs for anomalous OneDrive access patterns.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Microsoft OneDrive File Picker Vulnerability Exposes Users’ Entire Cloud Storage to Websites
Author: Guru BaranA critical security flaw in Microsoft’s OneDrive File Picker has exposed millions of users to unauthorized data access, allowing third-party web applications to gain complete access to users’ entire OneDrive storage rather than just selected files.
Security researchers from Oasis Security reported on May 28, 2025, that this vulnerability stems from overly broad OAuth scopes and misleading consent screens that fail to communicate the extent of access being granted clearly.
The OneDrive File Picker flaw affects hundreds of widely used web applications, including ChatGPT, Slack, Trello, and ClickUp, potentially putting millions of users at risk.
OneDrive File Picker Vulnerability
The vulnerability arises from the picker’s implementation of insufficient OAuth scope granularity, which requests broad File Access.Read.All or Files.ReadWrite.All permissions even when users intend to upload or share a single file.
Unlike competitors such as Google Drive, which offers fine-grained OAuth scopes like drive.file to restrict access to app-created or user-selected files, Microsoft’s implementation grants unrestricted access to all OneDrive content.
Dropbox employs an even more secure approach with its Chooser SDK, using a proprietary endpoint that avoids OAuth flows entirely.
The consent dialog presented to users is particularly problematic, as it doesn’t convey that a click grants the integrator access to every file and folder in the user’s OneDrive, not just the document they intended to share.
Insecure token storage practices across different versions of the OneDrive File Picker compound the security risks, reads the Oasis Security report.
Older versions (6.0-7.2) used implicit authentication flows that exposed sensitive access tokens in URL fragments or stored them insecurely in browser localStorage.
The latest version (8.0) requires developers to handle authentication using the Microsoft Authentication Library (MSAL), but still stores tokens in session storage in plain text.
MSAL’s Authorization Flow implementation creates additional vulnerabilities by potentially issuing Refresh Tokens that extend access periods beyond the typical one-hour token expiration.
These long-lived tokens, when cached in localStorage or backend databases without encryption, create persistent attack vectors for malicious actors to access entire OneDrive repositories.
The technical implementation requires developers to request permissions such as MyFiles.Read, Sites.Read.All, or Files.ReadWrite.All through delegated permissions, but the lack of file-scoped permissions makes it impossible to limit access to specific documents.
Microsoft Response
Microsoft has acknowledged the security report and indicated it “may consider improvements in the future,” though no specific timeline has been provided.
Security experts recommend immediate action from both users and organizations to mitigate risks.
For individual users, experts advise reviewing third-party app access through Microsoft Account privacy settings and revoking unnecessary permissions.
Organizations should implement admin consent policies or conditional-access controls that block applications requesting anything beyond Files.Read permissions.
Web application developers are urged to avoid requesting offline access scopes that generate Refresh Tokens and to implement secure token storage practices.
Additionally, security teams should monitor Graph API and Cloud Access Security Broker (CASB) logs for anomalous OneDrive access patterns.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
