Critical Microsoft OneDrive flaw lets hackers access entire cloud storage—ChatGPT, Slack, Trello affected. Learn mitigation steps for enterprises & users.
Cybersecurity experts warn of a severe Microsoft OneDrive vulnerability that could allow unauthorized access to entire cloud storage—putting enterprises and individuals at risk.
A newly discovered OAuth security flaw in Microsoft’s OneDrive File Picker enables malicious websites to bypass file restrictions, potentially exposing a user’s entire cloud storage instead of just selected uploads.
The Oasis Research Team confirmed this critical vulnerability in a report shared with The Hacker News, linking it to overly broad OAuth permissions and misleading consent prompts.
How the OneDrive Exploit Works
The flaw stems from:
Excessive OAuth scopes: Apps request full read access to OneDrive, even when only a single file is uploaded.
Vague consent screens: Users unknowingly grant broad permissions without clear warnings.
Insecure token storage: OAuth tokens are stored in plaintext within browser session data.
Affected apps include high-profile platforms like:
✔ ChatGPT
✔ Slack
✔ Trello
✔ ClickUp
Why This Is a Major Enterprise Risk
The lack of fine-grained OAuth controls means:
Compliance violations (GDPR, HIPAA risks)
Data leaks (corporate secrets, personal files)
Persistent access (refresh tokens allow indefinite data retrieval)
“This is a dangerous combination—vague Microsoft prompts and excessive permissions put millions at risk.” — Oasis Research Team
Microsoft’s Response & Interim Fixes
Microsoft has acknowledged the issue but no patch is available yet. Until a secure update arrives, experts recommend:
🔒 Disabling OneDrive OAuth uploads in high-risk workflows
🔒 Avoiding refresh tokens to limit long-term exposure
🔒 Secure token storage (encrypted databases, not browser sessions)
Protecting Your Data: Best Practices
For IT admins and security teams:
✅ Audit third-party app permissions (revoke unnecessary access)
✅ Enforce least-privilege OAuth policies
✅ Monitor token usage for anomalies
For end users:
⚠ Review consent screens carefully before granting access
⚠ Use enterprise-grade cloud security tools (e.g., CASB solutions)
The Bigger Picture: OAuth Security Gaps
This incident highlights systemic issues in OAuth implementation:
Poor scope granularity (Microsoft lacks file-level controls)
Inadequate user education (misleading prompts)
Third-party app risks (even trusted apps over-request permissions)
Proactive steps for businesses:
Regular OAuth scope audits
Zero-trust architecture adoption
Employee phishing awareness training
Nenhum comentário:
Postar um comentário