A newly discovered flaw in Microsoft’s OneDrive File Picker poses a major security threat, affecting hundreds of applications and millions of users.
Oasis Security’s research team uncovered the vulnerability, which grants excessive access permissions to OneDrive contents during routine file uploads. The discovery has raised significant concerns over data privacy, enterprise compliance, and secure access practices in web applications.
The flaw lies in how the OneDrive File Picker functions. It requests broad read access to a user’s entire OneDrive account—even when the user selects only a single file for upload.
This issue stems from the absence of fine-grained OAuth scopes within Microsoft’s OneDrive API. As a result, developers cannot restrict apps to access only selected files.
Oasis Security warned that this vulnerability affects popular platforms such as ChatGPT, Slack, Trello, and ClickUp. Millions of users may have unknowingly granted these applications extensive access to their OneDrive data.
Microsoft is reportedly considering future updates to align File Picker permissions more precisely with actual access needs.
The problem is compounded by Microsoft’s vague user consent prompt. When users agree to share files via the File Picker, the consent language fails to clearly communicate the level of access being granted. This opens the door to both unintentional data exposure and exploitation by malicious apps.
Moreover, the latest version of OneDrive File Picker (v8.0) requires developers to manage authentication independently using the Microsoft Authentication Library (MSAL). This introduces additional security risks.
MSAL stores sensitive tokens in plain text within the browser’s session storage. The use of authorization flows may also result in the issuance of refresh tokens, enabling persistent and extended access to user data.
Also read: Microsoft Makes All New Accounts Passwordless by Default to Combat Cyber Threats
Security Recommendations from Oasis Security
Oasis Security recommends several mitigation steps for users and organizations:
For Individual Users:
- Log into your Microsoft account and navigate to the Privacy section.
- Under “App Access,” review all applications with OneDrive access.
- Click “Details” for each app to review scopes and permissions.
- Revoke access where necessary using the “Stop Sharing” option.
For Organizations:
- Use the Entra Admin Center to view enterprise applications.
- Identify apps by their Application ID and Object ID.
- Open each application’s “Permissions” tab to review granted scopes.
- Verify delegated access permissions and identify the granting user.
For Developers and Web App Providers:
- Temporarily disable OneDrive-based file uploads if feasible.
- Avoid requesting the “offline access” scope or using refresh tokens.
- Remove any code that stores or utilizes refresh tokens.
- Securely store access tokens and discard them after use.
- Review and update all token handling logic to prevent exposure.
Users can also verify whether a website uses the OneDrive File Picker by checking permission prompts during file upload or download attempts. If OneDrive permissions appear in the prompt, the site likely integrates the File Picker.
This vulnerability highlights the critical need for precise access control and transparent consent in cloud services. Until Microsoft introduces fine-grained OAuth scopes and clearer permission dialogues, users and organizations must remain vigilant about their data-sharing practices.
About Author
