WTF?! OneDrive is one of the most popular cloud storage services in the market, largely because Microsoft aggressively promotes it to Windows users. However, security researchers warn that OneDrive's File Picker feature may expose users and organizations to serious data risks by granting full read access to unauthorized parties.
Microsoft is being extremely careless with security boundaries in OneDrive. A recent Oasis Security analysis revealed that OneDrive's File Picker tool can grant websites, apps, and outside users full read-only access to all content stored on the service. This glaring flaw puts both individual users and corporations at risk, prompting Oasis to recommend a thorough audit of all previously granted permissions.
File Picker provides companies and users with quick and easy file uploads from their OneDrive accounts. Many online services, including OpenAI's ChatGPT, leverage this feature. However, rather than restricting access to a specific file, the tool grants external services blanket access to the entire storage space.
Oasis estimates that hundreds of apps are affected by the issue, including ChatGPT, Slack, Trello, ClickUp, and others. As a result, millions of users have likely granted these services unrestricted access to their OneDrive files. This exposure could lead to data leaks and privacy violations, while organizations risk breaching regulatory compliance.
Oasis also criticized Microsoft for using vague and misleading language when prompting users to initiate a file upload. It claims that Microsoft fails to disclose the full extent of access granted through File Picker, leaving customers unable to distinguish between legitimate requests and potentially malicious attempts to exfiltrate data.
Oasis also warns that secret tokens used to grant access requests are often stored insecurely by default. In version 8.0 of File Picker, developers must implement authentication using Microsoft's Authentication Library (MSAL) with OAuth's Authorization Flow. However, the MSAL API stores tokens in the browser's session storage in plain text, and the Authorization Flow can extend access indefinitely through a refresh token.
"The lack of fine-grained OAuth scopes combined with Microsoft's vague user prompt is a dangerous combination that puts both personal and enterprise users at risk," Oasis said.
As a result, individual users and enterprise administrators should review any third-party access permissions they have previously granted – a process Oasis outlines in a detailed checklist. The researchers have already reported the flaw to Microsoft and affected third-party vendors, and Redmond is reportedly considering future improvements to the service.