OneDrive flaw can give websites and apps full access to your files, even if you pick

[harlan4096]

Microsoft OneDrive is used by millions of users, largely thanks to its integration as the default cloud file hosting service on Windows and Microsoft 365.

Security researchers at Oasis Security discovered a flaw in OneDrive that could give services, apps, and websites full access to all hosted files.

Many web services and sites support uploading files directly from OneDrive and other cloud storage services. ChatGPT, to name just one, includes an option to link the account with a OneDrive account for easier file uploads.

The main benefit here is that files can be uploaded directly from the cloud storage service. This is often faster than uploading the files from the local system.

Many users who upload files directly from OneDrive to such a service might expect that it only gains permissions to access the selected file or files.

Oasis Security notes that this is not the case, as OneDrive does not support fine-grained access controls. In other words, it is a all or nothing option that, at least in theory, gives the service full access to all files.

The permissions are time-limited by default but refresh tokens may be used to extend the access period.

Continue Reading...