Full Report
A flaw in OneDrive File Picker has exposed millions to data overreach through excessive OAuth permissions
Analysis Summary
Here is the summary of the vulnerability information based on the provided context:
# Vulnerability: Microsoft OneDrive File Picker Excessive OAuth Scopes
## CVE Details
- CVE ID: Not explicitly provided in the context.
- CVSS Score: Not explicitly provided in the context.
- CWE: Insufficient Authorization / Overly Permissive Scope (Implied CWE-285/CWE-682 based on description)
## Affected Systems
- Products: Microsoft OneDrive File Picker integration used by third-party applications (e.g., ChatGPT, Slack, Trello, ClickUp).
- Versions: Specifically mentioned are File Picker Version 7.0, and older versions ranging from 6.0 to 7.2.
- Configurations: Any application integrating the OneDrive File Picker for file uploads/downloads using the implicated OAuth scopes.
## Vulnerability Description
A security flaw exists in the Microsoft OneDrive File Picker regarding how it requests OAuth permissions. The picker grants applications broad read or write access to a user’s **entire OneDrive** content, even when the user only intends to select specific files for upload or download. This is described as an issue of over-permissioned OAuth scopes combined with a misleading consent flow. Older versions (6.0 to 7.2) also reportedly have insecure handling of sensitive OAuth tokens, including misuse of URL fragments.
## Exploitation
- Status: Research findings indicate potential for overreach; exploitation status in the wild is not specified, but PoC details are implied by consultant findings.
- Complexity: Low (Implied by the nature of scope overreach during a standard consent flow).
- Attack Vector: Network (via application integration interaction).
## Impact
- Confidentiality: High (Applications can read all user files in OneDrive).
- Integrity: High (Applications may write/modify files across the entire OneDrive).
- Availability: Low (Direct impact on service availability is not the primary concern, but data access could lead to denial of service through deletion, though not explicitly stated).
## Remediation
### Patches
- Specific patch versions are not listed in the provided text snippet. Users should check Microsoft advisories for updates addressing OAuth scope validation for the File Picker.
### Workarounds
- Given the flaw relates to the permissions requested during integration, users should restrict the use of third-party applications utilizing the OneDrive File Picker until officially patched, or only grant access via direct file selection mechanisms when available, avoiding blanket authorization.
## Detection
- **Indicators of Compromise:** Unexpected file access patterns or large data transfers initiated by integrated third-party applications connected to OneDrive.
- **Detection Methods and Tools:** Monitoring OAuth consent logs for applications granted excessive `Files.ReadWrite.All`-like permissions to OneDrive accounts not requiring organization-wide data access.
## References
- Vendor advisories: Awaiting a specific Microsoft Security Update reference.
- Relevant links - defanged:
- `infosecurity-magazine.com/news/microsoft-onedrive-flaw-exposes/`