Millions of users could unconsciously have granted access to their OneDrive files. A security gap in the Onedrive File Picker allows apps such as chatt or slack full reading access to all content. However, Microsoft is not particularly concerned.
Dangerous access rights for OneDrive uploads
Microsoft is constantly working on his cloud storage service OneDrive. Finally, users were promised a AI boost and more memory. Password protection for PDFs should also exist soon. Finally, the focus was also on networking with other programs. Files from other cloud services have been imported directly for about a year.
However, a serious security problem has now come to light when networking with other applications. Because if you upload files from your OneDrive into services such as Slack or Trello, you often give these apps unintentionally access to your entire cloud memory. This is to blame for a problematic implementation discovered by security researchers in Microsoft Onedrive File Picker, which enables foreign services to access all content of cloud storage – not just the files selected for upload.
Too wide permissions
The problem lies in too extensive Oauth permissions and misleading approval screens that users do not clearly convey which access rights they actually give. Numerous popular web applications such as chatt, zoom and clickup that have integrated their services in OneDrive are affected.
Like the security company Oasis Security reports, the OneDrive File Picker calls for reading access to the entire drive – even if only one file is to be uploaded. This results from the lack of fine granular Oauth permissions for OneDrive. The consent dialog that users see in front of a file upload is also very vague from Microsoft and does not sufficiently communicate which access level is actually granted.
Competition makes it better
In comparison, other cloud providers offer safe solutions. Google Drive has OAWH permissions that only allow apps access to self-created or explicitly approved files. With its Chooser SDK, Dropbox uses a proprietary end point that even does without a typical Oauth river and thus minimizes the risk. In addition, the authorization tokens created by Microsoft are often saved unsafely, namely in plain text in the browser memory. Refresh tokens can also be issued that grant applications permanent access to user data without the user having to register again.
Data protection problems
This could be particularly critical for companies. Employees could unintentionally violate confidentiality guidelines if they share corresponding company data via OneDrive with third-party apps. Experts therefore advise organizations to request the approval of an administrator or to force conditional access guidelines for apps that request more than a reading approval.
Private users can check their access authorizations by registering with their Microsoft account at OneDrive, selecting the “app access” under “Data Protection” and going through the list of apps with access rights. There, access can also be revoked if necessary.
Redmond remains calm
Microsoft has recognized the problem after the opened by Oasis Security, but has not yet provided a solution. In a statement, the company explained: “We appreciate the partnership with Oasis Security in the responsible disclosure of this problem. This technique does not meet our criteria for immediate remedy, since a user of the application has to agree before it is allowed. We will consider improvements in a future version.” So whether you will actually make an adjustment remains completely open.
