Excessive permissions in OneDrive’s OAuth implementation allow web apps to access all user files instead of just those being uploaded, risking data privacy. Microsoft has been notified, but the issue highlights broader concerns about OAuth scope design and user consent clarity. #OneDrive #OAuth #Microsoft #DataPrivacy
Keypoints
- OneDrive’s insufficiently fine-grained OAuth scopes can grant web apps access to all user files.
- User consent dialogs are often unclear, increasing the risk of unintended permissions.
- Popular apps like ChatGPT, Slack, Trello, Zoom, and ClickUp are affected by this issue.
- Other cloud providers like Google Drive and Dropbox implement more restrictive access controls.
- Security best practices recommend enforcing least privilege policies and reducing token lifetimes.
Read More: https://www.securityweek.com/onedrive-gives-web-apps-full-read-access-to-all-files/