Microsoft OneDrive File Picker Vulnerability Allows Full Access to Cloud Storage When Uploading a Single File

May 28, 2025
Data Privacy / Vulnerability

Cybersecurity researchers have identified a serious security flaw in Microsoft’s OneDrive File Picker. If exploited, this vulnerability could enable websites to gain access to a user’s entire cloud storage, rather than just the files intended for upload. According to the Oasis Research Team’s report to The Hacker News, the issue arises from overly broad OAuth scopes and unclear consent screens that do not adequately communicate the level of access being granted. This flaw poses significant risks, including potential customer data leaks and violations of compliance regulations. Affected applications may include ChatGPT, Slack, Trello, and ClickUp, all of which integrate with Microsoft’s cloud service. The core of the problem lies in the excessive permissions required by the OneDrive File Picker, which requests read access to the entire drive, even when only a single file is selected for upload, due to a lack of fine-grained permission controls.

Security Flaw in Microsoft OneDrive File Picker Exposes Users to Potential Data Breaches

May 28, 2025

Recent findings from cybersecurity researchers at the Oasis Research Team have unveiled a serious vulnerability within Microsoft’s OneDrive File Picker. This flaw enables websites to gain unrestricted access to users’ entire cloud storage, even when only a single file is intended for upload. The report, shared with The Hacker News, emphasizes that the issue arises from excessively broad OAuth permissions and ambiguous consent screens, which do not adequately inform users about the true scope of access being granted to applications.

The ramifications of this vulnerability are significant and could potentially lead to considerable data leakage, as well as violations of compliance regulations that many organizations are bound to uphold. Notably, several widely used applications, including ChatGPT, Slack, Trello, and ClickUp, could be at risk due to their integration with Microsoft’s cloud services. This broad risk underscores the necessity for business owners to remain vigilant regarding third-party application permissions that access cloud storage solutions.

The core of the problem lies in the OneDrive File Picker’s design, which requests grants for read access to the entire drive. This request persists regardless of whether users upload just one file, indicating a lack of fine-grained access control. Given the increasing reliance on cloud storage for sensitive business data, such inherent flaws pose a considerable threat not only to user privacy but also to organizational security frameworks.

From a threat landscape perspective, this incident can be analyzed through the lens of the MITRE ATT&CK Matrix, which serves as a comprehensive guide for understanding adversary tactics and techniques. The initial access technique could be correlated with the exploitation of this vulnerability, as unauthorized applications could gain access to sensitive data. Additionally, tactics related to privilege escalation may be leveraged if attackers aim to enhance their access rights beyond what is normally permitted.

Organizations must take immediate action to assess their integrations with any applications utilizing the OneDrive File Picker. Understanding the implications of granting extensive permissions should be a priority for business leaders, particularly in sectors that handle sensitive or regulated information.

As cybersecurity threats continue to evolve, keeping abreast of such vulnerabilities is critical for safeguarding organizational assets and maintaining compliance with data protection regulations. The findings regarding the OneDrive File Picker serve as a vital reminder of the importance of rigorous security assessments and the need for clearer communication around the permissions that web applications request when accessing cloud storage environments.

Source link

Related Posts

Over 100,000 WordPress Sites Vulnerable to Critical CVSS 10.0 Flaw in TI WooCommerce Wishlist Plugin

May 29, 2025 Vulnerability / Website Security

Cybersecurity experts have revealed a severe, unpatched security vulnerability affecting the TI WooCommerce Wishlist plugin for WordPress. This flaw can be exploited by unauthenticated attackers to upload arbitrary files. The TI WooCommerce Wishlist, with over 100,000 active installations, allows e-commerce customers to save their favorite products and share their lists on social media.

According to Patchstack researcher John Castro, “The plugin is susceptible to an arbitrary file upload vulnerability, enabling attackers to upload malicious files to the server without any authentication.” Identified as CVE-2025-47577, this vulnerability has a CVSS score of 10.0 and affects all versions up to and including 2.9.2, released on November 29, 2024. Currently, no patch is available. The website security firm pointed out that the vulnerability is linked to a function called “tinvwl_upload_file_wc_fields_factory,” which utilizes another native WordPress…

China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Attacks Across Asia and Brazil

May 30, 2025
Vulnerability / Threat Intelligence

A China-linked threat group has been identified as the source of recent attacks exploiting a critical security flaw in SAP NetWeaver, part of a larger campaign against organizations in Brazil, India, and Southeast Asia that began in 2023. According to Trend Micro security researcher Joseph C. Chen, the attackers primarily exploit SQL injection vulnerabilities in web applications to infiltrate SQL servers of targeted entities. “The actor also leverages various known vulnerabilities to compromise public-facing servers,” Chen noted in a recent analysis. Key targets have included Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Trend Micro is tracking this activity under the name Earth Lamia, which shows some overlap with threat clusters reported by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks’ Unit 42.

Qualcomm Resolves Three Zero-Day Vulnerabilities Targeting Android Devices Through Adreno GPU

June 02, 2025
Spyware / Vulnerability

Qualcomm has released security updates to address three zero-day vulnerabilities that have been exploited in limited, targeted attacks. These flaws, responsibly disclosed by the Google Android Security team, include:

  • CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6): Two incorrect authorization vulnerabilities in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode during specific command sequences.

  • CVE-2025-27038 (CVSS score: 7.5): A use-after-free vulnerability in the Graphics component that may result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

According to Qualcomm’s advisory, the Google Threat Analysis Group has indicated that CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 might be under limited, targeted exploitation. Patches have been issued to resolve the vulnerabilities affecting the Adreno graphics architecture.

Security Flaws in Preinstalled Apps on Ulefone and Krüger&Matz Phones Allow Unauthorized Device Resets and PIN Theft

Three security vulnerabilities have been identified in preloaded Android applications on Ulefone and Krüger&Matz smartphones. These flaws enable any installed app to factory reset the device and potentially encrypt other applications. Key details of the vulnerabilities include:

  • CVE-2024-13915 (CVSS score: 6.9): A pre-installed “com.pri.factorytest” app on Ulefone and Krüger&Matz devices exposes a service that permits any app to execute a factory reset.

  • CVE-2024-13916 (CVSS score: 6.9): The “com.pri.applock” app on Krüger&Matz smartphones allows users to encrypt apps using a PIN or biometric data. This app also exposes a method that lets malicious apps access sensitive fingerprint data.