Cybersecurity researchers have found a lack of security in Microsoft’s OneDrive File files, which, if successfully used, can allow the web -styt to access all cloud storage, unlike the files selected through the tool.
“This is due to the overly wide sights of Oauth and deceptive consent screens that have not been able to accurately explain the degree of access” – Note In a report that shared with Hacker News. “This deficiency can have serious consequences, including customer data leaks and violation of the requirements.”
It is evaluated that several applications are affected, such as Chatgpt, Slack, Trello and Clickup, given their integration with Cloud Service Microsoft.
The problem, according to Oasis, is the result of excessive permits requested by the OneDrive files seeking access to the whole disk, even in cases loaded only one file due to the lack of fine-grained OAUTH lists for OneDrive.
Subsequently, complex questions, users of the hints that are subjected to consent, are provided before downloading the file, is vague and does not properly provide access levels, thereby exposing users unexpected safety risks.
“The lack of fine-grained sights does not allow users to distinguish malicious applications focused on all files and legitimate applications requiring excessive permits simply because there is no other safe option,” OASIS said.
New York safety also noted that Oauth tokens used to authorize access are often uncertainly, adding that they are stored in the browser session in an open text format.
Another potential pitfall is that the work processes of authorization can also provide for the issuance of the update marker by providing an app that is ongoing access to users’ data, allowing it to gain new access tokens without asking the user to log again when the current token is over.
After the responsible disclosure of Microsoft information, she admitted this problem, although there is no correction yet. At this time, you should consider the temporary removal of the option to download files using OneDrive via Oauth until a securely safe alternative. In addition, it is recommended to avoid using the upgrade tokens and store access tokens safely and get rid of them if no longer needed.
The Hacker News appealed to Microsoft for further comment and we will update the story when we hear back.
“The lack of fine-grained Oauth sights in combination with the vague hint of Microsoft is a dangerous combination that at risk of both personal and entrepreneurial users,” Osis said. “This discovery enhances the importance of constant vigilance in Oauth volume management, regular security assessments and active monitoring to protect users’ data.”
