- The researchers found a fault in Microsoft OneDrive File Sicker
- Defect stems in the lack of fine grain Oauth permissions
- Microsoft recognizes the fault, but it has not yet fixed it
A vulnerability has been found in the Microsoft OneDrive file selector that could allow threat actors to access the whole cloud archives of the people, experts warned.
Oasis security researchers discovered the failure and informed Microsoft, noting that the problem lies in the excessive permits requesting files requesting, including reading access to the entire unit. The tool requests these permits, since Oauth’s areas for OneDrive are not fine grain.
The file selector is a OneDrive tool that allows websites and applications to integrate directly with the cloud storage solution. In this way, users can administer their OneDrive account within a third -party interface, resulting in access to files without problems.
Reading the calendar
“This is derived from Oauth’s areas too wide and deceptive consent screens that do not clearly explain the scope of the access that is granted,” Oasis’s research team explained in a report.
“This defect could have serious consequences, including customer data escape and violation of compliance regulations.”
Oasis also emphasized that a series of popular applications, such as Chatgpt, Trello or Slack, are also affected, since they are integrated with OneDrive.
The researchers also said that messaging, when loading files, is not clear enough, which could fool people to think that their cloud storage solutions are safe.
“The lack of fine grain fields makes users impossible to distinguish between malicious applications that go to all legitimate files and applications that request excessive permits simply because there is no other safe option,” Oasis concluded.
If that were not enough, Oasis also said that Oauth tokens are often stored insectively, since they are stored in the storage of the session of the browser in text without format.
According to reports, Microsoft has recognized the problem, but has not yet returned with a patch.
If you are concerned to expose your OneDrive storage, you may want to temporarily eliminate the option of loading files using OneDrive through Oauth. You can also stop using fresh tokens and make sure you store access tokens more safely.
Through The hacker news
