Web app vendors aren’t off the hook: This could be bad news for security teams, according to Eric Schwake, director of cybersecurity strategy at Salt Security. “Sensitive secrets required for this access are often stored in an insecure manner by default,” Schwake said. “This situation presents a key API security challenge for security teams, and with services like ChatGPT heavily depending on APIs to access and handle user data, this poses an even greater risk.”A third-party web application ending up with “unintentional” user data owing to this situation becomes a target for threat actors and could potentially run afoul of compliance rules just by having that level of access.Oasis notes that apps such as ChatGPT (uses File Picker v8.0), ClickUp, Trello, Zoom, and Slack are potentially affected. Even apps like Phenome, a recruitment tool, could unintentionally expose confidential files if users upload resumes from corporate accounts.”Vendors developing Web apps are at risk, as security incidents could result in severe consequences, leaking a lot of files from a lot of their users,” Oasis researchers noted. Certain steps are key while Microsoft looks into the issue: Oasis reported that it had contacted Microsoft, which acknowledged the report and indicated that it may consider making improvements in the future.Microsoft did not respond to queries about the issue.In the meantime, Oasis recommended a few mitigation steps for web apps, which include removing the file upload option using OneDrive through OAuth until Microsoft fixes it, and exploring simpler workarounds like supporting shared “view only” file links from OneDrive.Oasis also noted that File Picker solutions on other file hosting services such as Google Drive and Dropbox can be used as an alternative too as they don’t suffer from this issue.”Users should assume that every SaaS plug-in they authorize has the keys to their personal or enterprise crown jewels unless proven otherwise,” Soroko said. “Security teams should enforce ‘admin consent’ or conditional-access policies that block apps requesting anything beyond Files.Read.” Schwake added that stronger API governance to ensure all API permissions are meticulously managed, which includes sticking to least privilege and secure handling of tokens, is necessary for avoiding extensive data exposure.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3997051/if-you-use-onedrive-to-upload-files-to-chatgpt-or-zoom-dont.html
