Excessive permissions and ambiguous consent statements may provide web apps uploading files to OneDrive with read access to all user files rather than just those concerned.
The issue stems from an insufficiently fine-grained OAuth scope for OneDrive. This leads OneDrive’s File Picker to request read access to all the user’s files rather than the file or files currently being uploaded. It is compounded by user consent dialogs that are not as clear as they could be, making it easy for users to click through, unaware of access being granted to a third party app.
The problem is discussed by Elad Luz, research lead at Oasis Security. “In simple terms,” explains the researcher, “any web application that uses the OneDrive File Picker has access not just to the file you select to upload / download, but to your entire OneDrive. Even worse, this access might persist after the file upload is complete.” It is a classic denial of the least privilege principle.
Lud names five widely used web apps that are affected: ChatGPT, Slack, Trello, Zoom and ClickUp, but estimates that hundreds of other apps are affected. Oasis reported its concerns to Microsoft, who “took note of the report and may consider improvements in the future.” However, Lud also notes that other cloud providers use less coarse-grained choices.
“Google Drive,” for example, “offers a fine-grained [OAuth] scope for web applications, allowing them access only to files that the app has created or those that have been explicitly shared with it.”
And “Dropbox offers a file picker solution through its Chooser SDK, which does not rely on a typical OAuth flow. Instead, it uses a proprietary endpoint where it passes the app key to retrieve the selected files.” This minimizes the need for broad permissions and avoids unnecessary exposure of user data.
This is not a bug in Microsoft’s implementation of OAuth, although it could be called a misconfiguration, and it does increase the attack surface. Jason Soroko, senior fellow at Sectigo, comments: “The read/write scope, together with the consent dialog, do not convey that a click grants the integrator a door into every file and folder in the user’s OneDrive, not just the document they meant to share.”
Furthermore, he continues, “Once issued, those long-lived tokens are often cached in localStorage or back-end DBs without encryption. Therefore, any token theft allows attackers to trawl an entire tenant’s data.”
To make matters worse, users often fail to recognize how much important data can be held in their OneDrive files. “Scanned documents that end up in the ‘My Pictures’ or ‘My Documents’ folders may hold the key to one’s credit identity and profile. Private medical or banking records may get shuffled in and forgotten about, and private photos that were taken by accident synced from your phone to your computer can all silently file into your One-Drive enabled folders,” adds Jamie Boote, associate principal security consultant at Black Duck.
“Whenever an app asks if you trust it, you’re trusting it with your most precious data.”
Just because it’s Microsoft, we cannot assume it’s safe. “Users should assume that every SaaS plug-in they authorize has the keys to their personal or enterprise crown jewels unless proven otherwise,” says Soroko. “Security teams should enforce ‘admin consent’ or conditional-access policies that block apps requesting anything beyond Files.Read. They should also review existing enterprise app registrations for high risk scopes and disable or re-authorize them with the least privilege alternatives and require short lived bound tokens via Continuous Access Evaluation and token-protection in Entra ID.”
Lud’s own conclusion is simple: “A scope that is not fine-grained enough, combined with a vague use prompt, creates a dangerous combination for both personal users and organizations.” The takeaway is simple: Microsoft should tighten its OAuth scope, and ensure its developers never assume that users will always do the right thing.
Related: Google OAuth Flaw Leads to Account Takeover When Domain Ownership Changes
Related: Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw
Related: Oasis Security Raises $35 Million to Tackle Non-Human Identity Management
