Researchers discovered a flaw in Microsoft's OneDrive File Picker that may permit malicious websites to gain access to users' entire cloud storage rather than just selected files. Due to overly broad OAuth scopes and vague consent screens, users may unknowingly grant excessive permissions. The flaw affects apps like ChatGPT and Slack because of their integration with OneDrive. With insecure storage of OAuth tokens, users are further exposed to risks that could lead to data leakage and compliance violations.
This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted.
The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps.
Collection
[
|
...
]