• About Us
  • Privacy Policy
  • Disclaimer
  • Contact Us
TechTrendFeed
  • Home
  • Tech News
  • Cybersecurity
  • Software
  • Gaming
  • Machine Learning
  • Smart Home & IoT
No Result
View All Result
  • Home
  • Tech News
  • Cybersecurity
  • Software
  • Gaming
  • Machine Learning
  • Smart Home & IoT
No Result
View All Result
TechTrendFeed
No Result
View All Result

OneDrive File Picker Flaw Offers Apps Full Entry to Consumer Drives

Admin by Admin
May 28, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


A current investigation by cybersecurity researchers at Oasis Safety has revealed a knowledge overreach in how Microsoft’s OneDrive File Picker handles permissions, opening the door for a whole bunch of standard internet functions, together with ChatGPT, Slack, Trello, and ClickUp, to entry much more person information than most individuals notice.

In keeping with the report, the issue comes from how the OneDrive File Picker requests OAuth permissions. As an alternative of limiting entry to simply the recordsdata a person selects for add or obtain, the system grants related functions broad learn or write permissions throughout the person’s whole OneDrive. Which means whenever you click on to add a single file, the app could possibly see or modify every thing in your cloud storage and preserve that entry for prolonged durations.

A Hidden Entry Downside

OAuth is the extensively used trade customary that permits apps to request entry to person information on one other platform, with person consent. However as Oasis explains of their weblog publish shared with Hackread.com forward of its publication on Wednesday, the OneDrive File Picker lacks “fine-grained” OAuth scopes that would higher prohibit what related apps can see or do.

Microsoft’s present setup presents the person with a consent display screen that means solely the chosen recordsdata might be accessed, however in actuality, the appliance positive aspects sweeping permissions over the whole drive.

This works fairly otherwise in comparison with how companies like Google Drive and Dropbox deal with comparable integrations. Each provide extra exact permission fashions, permitting apps to work together solely with particular recordsdata or folders with out handing over the keys to the entire storage account.

Including to the priority, older variations of the OneDrive File Picker (variations 6.0 by means of 7.2) used outdated authentication flows that uncovered delicate entry tokens in insecure locations, like browser localStorage or URL fragments. Even the most recent model (8.0), whereas extra trendy, nonetheless shops these tokens in browser session storage in plain textual content, leaving them weak if an attacker positive aspects native entry.

Hundreds of thousands of Customers at Threat

Oasis Safety estimates that a whole bunch of apps use the OneDrive File Picker to facilitate file uploads, placing thousands and thousands of customers in danger. For instance, ChatGPT customers can add recordsdata instantly from OneDrive, and with over 400 million customers reported every month, the size of attainable over-permissioning is huge.

Oasis contacted each Microsoft and a number of other app distributors forward of releasing its findings. Microsoft acknowledged the report and indicated it might discover enhancements sooner or later, however as of now, the system works as designed.

An Knowledgeable View on the API Safety Problem

Eric Schwake, Director of Cybersecurity Technique at Salt Safety, commented on the analysis, stating, “Oasis Safety’s analysis factors to a serious privateness danger in how Microsoft OneDrive connects with standard apps like ChatGPT, Slack, and Trello. As a result of the OAuth scopes within the OneDrive File Picker are too broad, apps can acquire entry to a complete drive, not simply chosen recordsdata.”

He warned that “Mixed with insecure storage of entry tokens, this creates a severe API safety problem. As extra instruments depend on APIs to deal with delicate information, it’s important to use strict governance, restrict permissions, and safe tokens to keep away from exposing person info.”

What Customers and Firms Ought to Do

For customers, it’s price checking which third-party apps have entry to your Microsoft account. This may be performed by means of the account’s privateness settings, the place you may view app permissions and revoke any you now not belief.

Tips on how to Examine Which Third-Social gathering Apps Have Entry to Your Microsoft Account

  • Go to your Microsoft Account web page – Go to account.microsoft.com and check in in the event you aren’t already.
  • Click on on “Privateness” – Within the prime or left menu, discover and click on the Privateness part.
  • Discover “Apps and Providers” – Scroll down or look beneath account settings for Apps and Providers you’ve given entry to.
  • View app particulars – You’ll see an inventory of apps which have permission to entry your Microsoft account. Click on Particulars on every app to see what information or scopes they will entry.
  • Revoke entry if wanted – In case you now not belief or use an app, click on Take away these permissions or Cease sharing to revoke its entry.

For firms, Oasis recommends reviewing enterprise functions within the Entra Admin Middle and monitoring service principal permissions to see which apps could have broader entry than meant. Utilizing instruments just like the Azure CLI can assist automate components of this overview.

For builders, the perfect fast steps embrace avoiding the usage of long-lived refresh tokens, securely storing entry tokens, and disposing of them when now not wanted. Till Microsoft provides extra exact OAuth scopes for OneDrive integrations, builders are inspired to discover safer workarounds, like supporting “view-only” shared file hyperlinks as an alternative of direct picker integrations.



Tags: accessAppsDrivesFileFlawFullOneDrivePickeruser
Admin

Admin

Next Post
AI First Places People First – O’Reilly

AI First Places People First – O’Reilly

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Trending.

Discover Vibrant Spring 2025 Kitchen Decor Colours and Equipment – Chefio

Discover Vibrant Spring 2025 Kitchen Decor Colours and Equipment – Chefio

May 17, 2025
Reconeyez Launches New Web site | SDM Journal

Reconeyez Launches New Web site | SDM Journal

May 15, 2025
Safety Amplified: Audio’s Affect Speaks Volumes About Preventive Safety

Safety Amplified: Audio’s Affect Speaks Volumes About Preventive Safety

May 18, 2025
Flip Your Toilet Right into a Good Oasis

Flip Your Toilet Right into a Good Oasis

May 15, 2025
Apollo joins the Works With House Assistant Program

Apollo joins the Works With House Assistant Program

May 17, 2025

TechTrendFeed

Welcome to TechTrendFeed, your go-to source for the latest news and insights from the world of technology. Our mission is to bring you the most relevant and up-to-date information on everything tech-related, from machine learning and artificial intelligence to cybersecurity, gaming, and the exciting world of smart home technology and IoT.

Categories

  • Cybersecurity
  • Gaming
  • Machine Learning
  • Smart Home & IoT
  • Software
  • Tech News

Recent News

How authorities cyber cuts will have an effect on you and your enterprise

How authorities cyber cuts will have an effect on you and your enterprise

July 9, 2025
Namal – Half 1: The Shattered Peace | by Javeria Jahangeer | Jul, 2025

Namal – Half 1: The Shattered Peace | by Javeria Jahangeer | Jul, 2025

July 9, 2025
  • About Us
  • Privacy Policy
  • Disclaimer
  • Contact Us

© 2025 https://techtrendfeed.com/ - All Rights Reserved

No Result
View All Result
  • Home
  • Tech News
  • Cybersecurity
  • Software
  • Gaming
  • Machine Learning
  • Smart Home & IoT

© 2025 https://techtrendfeed.com/ - All Rights Reserved