A security flaw has been discovered in Microsoft’s OneDrive File Picker that could allow third-party apps and websites to access a user’s entire OneDrive cloud storage even when the user only wants to upload a single file.
Cybersecurity researchers from Oasis Security reported the issue and said the vulnerability stems from overly broad OAuth permissions and unclear consent screens. This flaw creates a serious risk of data leaks, privacy violations, and non-compliance with data protection regulations.
How OneDrive File Picker Flaw Works
The flaw lies in the way Microsoft’s OneDrive File Picker works with OAuth, a popular authorization framework used to allow apps to access user data. According to the Oasis research team, when users try to upload a file through the OneDrive Picker, the tool requests permission to access the entire cloud storage rather than just the file selected.
“The issue is due to the lack of fine-grained OAuth scopes in OneDrive,” said Oasis Security in a detailed report. “Even if users only want to upload one file, the app still receives read access to the full drive.”
This means that even trustworthy-looking apps could be granted full access to all user files just because OneDrive’s permission system is too broad. Even worse, users are shown a vague and unclear consent screen that doesn’t properly inform them of the extent of access being granted.
Popular Apps Could Be Affected
The flaw doesn’t just affect Microsoft’s own tools. Many third-party applications that integrate with OneDrive are potentially at risk. These include:
ChatGPT
Slack
Trello
ClickUp
These apps often use the OneDrive File Picker to let users upload files, but due to the flaw, they may be unknowingly granted access to all files in the user’s cloud account.
The Role of OAuth Tokens in the Risk
Adding to the risk, the OAuth tokens — which are used to authenticate and authorize access — are often stored in an insecure way. Oasis found that many websites store these tokens in the browser’s session storage in plain text. This makes them an easy target for attackers who exploit browser vulnerabilities or use malicious scripts.
Additionally, if the authorization flow includes a refresh token, apps could maintain long-term access to user data without needing the user to log in again. This means even after the initial upload, the app could continue to access files in the background.
The main issue here is the combination of excessive permissions and poor user communication. Users have no way of knowing whether they’re giving access to just one file or their entire OneDrive account. And because of the broad permissions, even well-intentioned apps end up getting more access than they actually need.
“This dangerous combination puts both personal and enterprise users at serious risk,” said the Oasis team. “It highlights the urgent need for more granular permission controls and better consent transparency.”
Oasis responsibly disclosed the issue to Microsoft, and the tech giant has acknowledged the flaw. However, as of now, no official fix has been released.
In the meantime, users and organizations are advised to take precautionary steps:
Avoid using OneDrive File Picker for uploads until the issue is resolved.
Refrain from using refresh tokens in your app’s OAuth flow.
Store access tokens securely, not in plaintext, and remove them once they’re no longer needed.
The Hacker News has reached out to Microsoft for further comment. If an update or patch is released, users should apply it immediately to secure their cloud accounts.
Recommendations
For developers and system administrators, this is a wake-up call to prioritize secure OAuth implementations. Some best practices include:
Use scopes that match the minimum required access.
Show clear consent messages to end users.
Avoid storing sensitive tokens in the browser unless absolutely necessary.
Implement token expiration and revocation mechanisms.
Monitor app behavior to detect unauthorized data access.
This OneDrive File Picker vulnerability is a clear example of how flawed permission systems and vague user interfaces can expose sensitive data — even without any malicious intent on the part of the user. With so many popular tools relying on cloud integrations, it’s essential for tech companies like Microsoft to improve their OAuth implementations and make them more transparent and secure.
Until Microsoft releases a fix, users should remain cautious about uploading files through OneDrive in third-party apps. This incident also reinforces the need for continuous security monitoring, privacy-first design, and stronger data protection policies in cloud platforms.
Interesting Article : Fake VPN and Browser Installers Drop Winos 4.0 Malware in Stealth Attacks
Pingback: CVE-2025-47577: Critical File Upload Vulnerability Found in Wishlist Wordpress Plugin