Microsoft OneDrive File Picker Flaw Grants Apps Full Cloud Access — Even When Uploading Just One File

May 28, 2025Ravie LakshmananData Privacy / Vulnerability

Cybersecurity researchers have discovered a security flaw in Microsoft’s OneDrive File Picker that, if successfully exploited, could allow websites to access a user’s entire cloud storage content, as opposed to just the files selected for upload via the tool.

“This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted,” the Oasis Research Team said in a report shared with The Hacker News. “This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.”

It’s assessed that several apps are affected, such as ChatGPT, Slack, Trello, and ClickUp, given their integration with Microsoft’s cloud service.

The problem, Oasis said, is the result of excessive permissions requested by the OneDrive File Picker, which seeks read access to the entire drive, even in cases only a single file is uploaded due to the absence of fine-grained OAuth scopes for OneDrive.

Compounding matters further, the consent prompt users are presented with prior to a file upload is vague and does not adequately convey the level of access being granted, thereby exposing users to unexpected security risks.

“The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option,” Oasis noted.

The New York-based security company further pointed out that the OAuth tokens used to authorize access are often stored insecurely, adding they are saved in the browser’s session storage in plaintext format.

Another potential pitfall is that the authorization workflows may also involve issuing a refresh token, granting the application ongoing access to user data by allowing it to get new access tokens without having to ask the user to log in again when the current token expires.

Following responsible disclosure, Microsoft has acknowledged the problem, although there is no fix as yet. In the interim, it’s worth considering temporarily removing the option to upload files using OneDrive through OAuth until a secure alternative is in place. Alternately, it’s advised to avoid using refresh tokens and store access tokens in a secure manner and get rid of them when no longer needed.

The Hacker News has reached out to Microsoft for further comment, and we will update the story if we hear back.

“The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk,” Oasis said. “This discovery reinforces the importance of continuous vigilance in OAuth scope management, regular security assessments, and proactive monitoring to protect user data.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!