Skip to content

OneDrive bug exposes your storage to third-party apps

  • by
  • 2 min read

A security vulnerability in Microsoft OneDrive’s file picker has left the cloud storage users exposed to third-party apps. The file picker requests OAuth permissions, which in turn grant external apps access to the user’s entire drive rather than the specific files selected for download or upload.

The bug was discovered by cybersecurity firm Oasis Security, who describe it in their report as a “classic case of over-permissioned OAuth scopes combined with a misleading consent flow.” The report goes on to add that hundreds of popular web apps like ChatGPT, Slack, Trello, and more integrate with OneDrive to facilitate file uploads, except the integrations give them access to the user’s entire cloud storage.

Different versions of the file picker also have different flaws. Version 7.0 of the file picture requires both read and write access even during uploads. Older versions also handle OAuth tokens via URL fragments and local storage — not the best way to deal with sensitive data. Version 8.0 slightly improves the situation by offloading authentication, but the access scopes are still quite broad.

This is an image of onedrive featured 1

To make matters worse, consent dialogs on OneDrive apparently do not properly communicate the extent of access the user may be providing to an app. In theory, a malicious app can exploit the bug to gain access and expose sensitive files a user or organisation may have stored on the drive.

Since there’s no active fix from Microsoft, current mitigations include checking whether or not a web app has access and temporarily revoking it unless you trust the developer. The best option is to remove the option to upload files using OneDrive through OAuth until Microsoft patches the issue. Users should also avoid using refresh tokens and store their access tokens securely.

Google and Dropbox have more restrictive models that have a safer approach to file security. If you have to use OneDrive, you can also try using view-only links from the cloud storage, although this will impact your workflows and will be less convenient for users.

In the News: Hackers are using SEO poisoning to commit payroll fraud

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Russian pro basketball player arrested on ransomware charges

This is an image of tik tok 39239

Ireland launches fresh investigation into TikTok over data transfer to Chinese servers

Illustration: jmiks | shutterstock

British NCA arrest four for hacking M&S, Co-op, and Harrods

A mcdonald's sign on a pole.

McDonald’s AI bot leaks job applicants’ data

This is an image of dprk north korea flag

US sanctions North Korean hacker for running fraud IT worker scheme

This is an image of ransomware 32988sd

M&S confirms April cyberattack was ransomware

>