OneDrive File Picker is a Microsoft-provided device that lets web sites and net apps combine with a person’s OneDrive account to permit importing, looking, and choosing OneDrive information straight from the app.
An over-privileged OAuth lure
This broad entry stems from a limitation in Microsoft’s OAuth implementation inside File Picker that researchers described as “a scarcity of fine-grained permissions scopes.”
Jason Soroko, senior fellow at Sectigo, calls the oversight an over-privileged OAuth lure. “Microsoft’s OneDrive File Picker encourages third-party net apps to request broad information,” he mentioned. “As soon as issued, these long-lived tokens are sometimes cached in localStorage or back-end databases with none encryption, doubtlessly permitting attackers to trawl a complete tenant’s knowledge.”
OneDrive File Picker’s OAuth implementation requests broad scopes, as a substitute of fine-grained, file-level scopes, permitting customers and builders to limit entry to solely the information explicitly chosen.
