Open Authorization (OAuth) is a standard for allowing apps and services to log in to one another while keeping confidential information private, such as when users sign in on a third-party site using their Facebook or Google accounts. It is widely used across all corners of the internet, and a security flaw in an application’s use of the standard could cause extreme levels of unauthorized access.
A research team at Oasis Security recently discovered a vulnerability in a trusted Microsoft component, the OneDrive File Picker. The flaw enables a website to gain broad access to the entire contents of a OneDrive account, not just the selected files for upload. The scope of the flaw is said to potentially impact hundreds of applications, millions of users, and billions of files.
Understanding the Vulnerability
The flaw in OneDrive File Picker arises from the request for read access to the drive when a user is attempting to upload a file to another application. OAuth scopes in OneDrive are often broad and not granular enough to ensure secure access, opening the door for potential overextension of access. Users must consent to OneDrive accessing their files for upload, but the prompts often fail to clearly communicate the requested level of access.
This leads to the illusion of user control over their data, as misleading language makes users believe the access is more granular and more secure than it actually is. While a user may intend only to provide access to a single file, the vague consent language can lead to them accidentally granting access to their entire OneDrive and all of their files.
Real-World Risk Scenarios
Many applications that are extremely common in business operations are affected by the flaw, including ChatGPT, Slack, Trello, and ClickUp. This could lead to a variety of corporate risk scenarios, putting organizational data at risk. For example, a job applicant could leak confidential documents by granting broad access to their files while intending to upload a resume.
The persistence of the access granted means that allowing this unsecured authorization to a OneDrive account can cause security issues and endanger sensitive data for years down the line. Not many users are regularly reviewing their app permissions for old or overextended access. The regulatory implications of this long-lasting access are troubling, as is the scope of valuable assets at risk from this flaw.
Why Developers Are Also in the Dark
The use of older versions of OneDrive File Picker hinders app developers’ ability to discover and remediate permission overreach. Insecure handling of tokens in localStorage and session storage enables ongoing access to users’ files, and sensitive information relating to the granted access is often stored insecurely.
There is yet to be a structural fix to mitigate the flaw within OneDrive, leaving organizations and individual users to take steps to audit and manage permissions that may have been granted long ago. Many organizations could unknowingly be affected by this vulnerability, increasing the risk of supply chain exposure through compromised vendors.
Lessons from Competitors: A Call for Better Practices
In contrast with OneDrive’s vague and broad access permissions creating security gaps, competing file-hosting services like Dropbox and Google Drive demonstrate clearer consent language and fine-grained permissions that prevent a flaw like this from occurring. It is important to ensure that users are well informed as to what data an app is requesting access to when they are asked to grant permissions. Limited-scope and non-OAuth pickers can serve as safer alternatives to the risks of the flaw, as they avoid unnecessarily requesting broad access to an account’s entire drive.
What Users and Organizations Can Do
Users and organizations should take steps to check whether they have granted broad access to vendors in the past and revoke existing OneDrive access. Individual users should log in to their Microsoft accounts, navigate to the Privacy settings, and then to App Access, in order to audit and revoke app permissions. Organizations should use the Entra Admin Center to view the list of enterprise applications and check the permissions granted for each app.
Developers should employ safer practices to prevent flaws like this in the future, such as foregoing refresh tokens, ensuring secure token storage, and removing OneDrive’s File Picker if possible. “If you’re building apps internally, include OAuth scope reviews and token handling in your design and architecture reviews,” according to Vijay Dilwale, Principal Security Consultant at Black Duck. “And in higher-risk environments, consider pen testing workflows that involve file uploads or third-party integrations to see how far access really goes.”
A Wake-Up Call for the Industry
Microsoft’s lack of fine-grained scopes is a systemic design flaw, making it difficult for organizations and individual users to visualize, understand, and manage the permissions they grant to different applications. The discovery of this flaw highlights the responsibility of platform providers to protect user trust by using clear consent language and secure access policies. This should serve as a turning point for OAuth reform and identity security, demonstrating the importance of clear consent language and proper permission scoping.
