Microsoft Onedrive is used by millions of users, broadly thanks to its integration as a default cloud file hosting service on Windows and Microsoft 365.
Safety researcher Neutral security Discovered a defect in Onedrive that can give full access to services, apps and websites to all host files.
Many web services and sites support uploading files directly ondrive and other cloud storage services. Chatgpt, to name only one, includes the option to link the account with an onedrive account for easy file uploads.
The main advantage here is that files can be uploaded directly from cloud storage service. This is often faster than uploading files from the local system.
Many users who upload files directly from ONEDRIVE for such service can expect it to only get permission to access selected files or files.
The oasis security notes that this is not the case, because Onedrive does not support the right access control. In other words, it is an all or anything that at least in principle, gives the service complete access to all files.
Permissions are deleted by defaults, but refresh tokens can be used to expand the access period.
Users who want to use their Onedrive account for uploads have shown a safety prompt. It gives consent, but oasis notes the safety that the “vague and vague language” does not communicate well to the app or site.
Oasis Security recommended that onedrive users check app permissions to remove people that are no longer needed.
Here’s how it is done:
- Load the following address in your favorite web browser: https://acccount.microsoft.com/privacy/app-ccess
- You may be motivated to sign in to Microsoft account. If you are, complete the sign in process.
- Browse the list of apps that you see there.
- Click on the details next to the apps to see the permissions given by you.
- Select “Do not allow” to remove permission. You may be motivated to certify the operation using your password, pin or other means.
Each entry applies the name of the application, the last used date, and two action buttons “not allowed” and the details.
The page lists apps that require any permission. This does not necessarily need to be ondrive. If you are a gamer, you may see permission to access Xbox live data.
Look for permissions that allow apps to open ondrive files or even comprehensive ondraive permissions.
The site lacks options for discovering specific permissions. It is not highly comfortable even when you may be able to exclude some apps immediately when you look at the name or finalized date.
There is no option to choose everything at a time to cancel all permissions.
How to check that no site requests ONEDRIVE permission
The site or apps display a prompt whenever the link of the ondrive is being established by the user’s functions to upload or download the files.
Check the consent signal for onedrive permissions. It may be better to leave ONEDRIVE completely, especially if only one or small number of files need to be uploaded.
Now you: Do you use Onedrive or any other file hosting service on the Internet? Have you used apps or services to your files? Feel free to leave a comment below.
Thanks for reading..
