External Apps Can Exploit OneDrive Security Flaw
Websites that support OneDrive file uploads—such as ChatGPT, Slack, Trello, ClickUp, Zoom, and others—can gain access to a user’s entire OneDrive account, not just the files selected for upload. This access may persist for extended periods.
The root cause is a lack of fine-grained OAuth scopes in OneDrive, which results in the official OneDrive File Picker requesting full read access to the entire drive, even for single-file uploads. Compounding the issue, the sensitive tokens used to grant this access are often stored insecurely by default.
Oasis reported the vulnerability to Microsoft, which acknowledged the issue and may consider future improvements.
Oasis estimates that hundreds of apps are impacted and has notified several major vendors using the OneDrive File Picker ahead of public disclosure.
OAuth is a widely adopted industry-standard protocol that enables users to securely share their data between websites and third-party web applications.
In the context of OneDrive, for instance, when a user wants to upload a file through an external web application, OAuth facilitates this by allowing the user to grant the application access to their OneDrive.
Once permission is given, the application receives an access token that provides limited access to the user’s data. This mechanism is broadly supported across many platforms and services.
Read more – https://pages.oasis.security/rs/106-PZV-596/images/onedrive-file-access-warning.pdf?version=0
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.