Critical Flaw in Microsoft OneDrive File Picker Exposing Millions of Users Data

Security researchers at Oasis Security have uncovered a significant vulnerability in Microsoft’s OneDrive File Picker, revealing that websites using the tool can gain access to a user’s entire OneDrive storage not just the specific files intended for upload.

This flaw, which affects hundreds of apps including ChatGPT, Slack, Trello, and ClickUp, could impact millions of users and pose serious risks such as unauthorized data exposure and compliance violations.

According to Oasis, the vulnerability stems from how OneDrive File Picker handles permissions. While the interface is designed to let users upload selected files, it actually grants read access to the user’s entire OneDrive account. This stems from the lack of fine-grained OAuth scopes in OneDrive’s implementation. Sensitive access credentials are also often stored insecurely by default, exacerbating the risk.

Oasis reported the issue to Microsoft and notified affected vendors. In response, Microsoft acknowledged the problem and indicated that future updates may include better alignment between the permissions requested and the functionality provided.

The newest version of the tool, OneDrive File Picker 8.0, shifts authentication responsibilities to developers, typically via the Microsoft Authentication Library (MSAL) and OAuth Authorization Flow. However, this shift introduces additional concerns. MSAL stores authentication tokens in browser session storage in plain text, and the OAuth flow can issue refresh tokens, granting persistent access to user data.

OpenAI, among other companies, currently uses version 8.0 of the tool.

Although users are prompted to give consent before an upload, the language in the prompt is vague and does not clearly communicate the level of access being granted. This ambiguity can mislead users into authorizing extensive data access without fully understanding the implications.

Source: hxxps[://]www[.]oasis[.]security/resources/blog/onedrive-file-picker-security-flaw-oasis-research

Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news