Security researchers have discovered a seemingly serious vulnerability in OneDrive. User files can be downloaded or viewed in read-only mode by just about anyone, using your connected apps. Microsoft claims with rather paradoxical composure that the problem, deeply linked to the design of the service, will not be corrected immediately.
Do you use OneDrive and have connected applications or platforms like ChatGPT, Slack and Trello to it? Bad news, everyone… researchers have just discovered a particularly serious bug. All your OneDrive files, including the most sensitive ones, can be downloaded by strangers without you even knowing it. Microsoft, for its part, seems determined to do absolutely nothing to secure its users.
This access to security issues right under the nose is quite terrifying. Journalists and public figures can find themselves in very dangerous situations. But for now, you'll have to live with it... or go elsewhere.
Not all cases are covered by OneDrive access permissions
At the heart of the problem is the OAuth module responsible for managing access permissions and the WebApps connected to users' OneDrives. The permissions module lacks granularity compared to competing services like DropBox and Google Drive.
As a result, the permissions granted to connected WebApps leave at least this rather catastrophic hole. As soon as OneDrive's "File Picker" module is used by these services to upload a single file, it requests read access to the entire drive. This is because OAuth has not been given the ability to further limit this permission.
And the worst part is that this access—which completely bypasses OneDrive's security—remains persistent in many cases. This is because OAuth login tokens have a fairly long lifespan. If hackers are looking to siphon off all the files on a target's cloud, they can do so with formidable stealth, without directly attacking OneDrive at any time.
Instead, they can break into a service connected to the account. This can be done in a number of relatively simple and inexpensive ways. From there, they can view and exfiltrate everything – with as much calm as Microsoft's reaction, which you'll discover a little further down.
Microsoft doesn't see the urgency and isn't fixing anything
Exploiting this attack surface doesn't involve significant financial costs. And cybercriminals have hundreds of WebApps at their disposal, which gives them room to maneuver in case of failure. There's everything in this list; but all the most popular platforms (likely to be used by the victim) are there. This includes ChatGPT, Slack, Trello, Zoom, and ClickUp.
Now, you're probably thinking that this report has Microsoft's teams working hard to find an acceptable solution. We'll let you read, without further comment, the few words that the company responded to the authors of the discovery: "Microsoft has taken note of the report and may consider improvements in the future." Before, one imagines, returning to sunbathing on a deckchair.
So what can you do to return to acceptable security standards for your files in the cloud? Obviously, we can only recommend disconnecting all WebApps linked to your OneDrive via the configuration pages. Beyond that, such inaction in the face of an extremely serious problem seems unacceptable. Enough to motivate a transfer of all your data to a competitor that offers a little more security.
0 Comments