Oasis Security's research team uncovered a flaw in Microsoft's OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp–meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.
Upon discovery, Oasis reported the flaw to Microsoft and advised vendors using OneDrive File Picker of the issue. In response, Microsoft is considering future improvements, including more precise alignment between what OneDrive File Picker does and the access it requires.
Below are details of the flaw and mitigation strategies. You can read the Oasis Security Research team’s full report here.
The Flaws
Excessive Permissions in the OneDrive File Picker
The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive.
While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks.
The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.
Insecure Storage of Sensitive Secrets
Sensitive secrets used for this access are often stored insecurely by default.
The latest version of OneDrive File Picker (8.0) requires developers to take care of the authentication themselves, typically using the Microsoft Authentication Library (MSAL) and most likely using the Authorization Flow.
Security risks ensue:
MSAL stores sensitive Tokens in the browser’s session storage in plain text.
With Authorization Flows a Refresh Token may also be issued, which lengthens the access period, providing ongoing access to the user's data.
Notably, OpenAI uses version 8.0.
Mitigation Steps
The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk. Oasis Security recommends that individuals and technology leaders review the third-party access they’ve granted to their account to mitigate the potential risks raised by these issues.
Check Whether or Not You’ve Previously Granted Access to a Vendor
How to for Private Accounts
Log in to your Microsoft Account.
In the left or top pane, click on "Privacy".
Under "App Access", select the list of apps that have access to your account.
Review the list of apps, and for each app, click on “Details” to view the specific scopes and permissions granted.
You can “Stop Sharing” at any time. Consider that an Access Token takes about an hour to expire regardless of when you clicked stopped sharing. This would however revoke a Refresh Token if present.
While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related v...
Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.
Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely.
#Actively #Calendar #Computer #Events #Exploited #File #InfoSec #Modern #Plugin #Security #Upload #Vulnerability #WordPress
AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group.
