Flaw allows apps to read an entire OneDrive account.
A flaw in Microsoft’s OneDrive File Picker could allow a website to access a user’s cloud files.
Detailed by the Oasis research team and featured by Safety Detectives, researchers claimed the flaw comes from “overly broad OAuth scopes” in the OAuth system and vague consent screens. These allow apps to read an entire OneDrive account, even when only one file is chosen for upload.
The consent screen shown to users doesn’t clearly explain what’s being accessed, which can lead to accidental “customer data leakage and violation of compliance regulations.”
Microsoft has acknowledged the problem but hasn’t released a fix yet. Until then, experts suggest avoiding file uploads through OneDrive OAuth or disabling refresh tokens and storing access tokens more securely.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
