OneDrive File Picker is a Microsoft-provided software that lets web sites and internet apps combine with a person’s OneDrive account to permit importing, searching, and choosing OneDrive recordsdata instantly from the app.
An over-privileged OAuth entice
This broad entry stems from a limitation in Microsoft’s OAuth implementation inside File Picker that researchers described as “a scarcity of fine-grained permissions scopes.”
Jason Soroko, senior fellow at Sectigo, calls the oversight an over-privileged OAuth entice. “Microsoft’s OneDrive File Picker encourages third-party internet apps to request broad recordsdata,” he mentioned. “As soon as issued, these long-lived tokens are sometimes cached in localStorage or back-end databases with none encryption, doubtlessly permitting attackers to trawl a whole tenant’s knowledge.”
OneDrive File Picker’s OAuth implementation requests broad scopes, as an alternative of fine-grained, file-level scopes, permitting customers and builders to limit entry to solely the recordsdata explicitly chosen.
