A newly uncovered flaw in Microsoft’s OneDrive File Picker could be putting millions of users at risk of unintended data exposure, says new research from cybersecurity firm Oasis Security.
The issue allows websites to access an entire user’s OneDrive, rather than just the specific files selected for upload, due to a combination of excessive permissions and vague consent prompts.
The flaw affects hundreds of popular applications that integrate with OneDrive File Picker, including widely used platforms like ChatGPT, Slack, Trello, and ClickUp. As a result, millions of users may have inadvertently granted these services full access to their cloud storage, with potential consequences ranging from accidental data leaks to serious compliance violations.
Oasis Security disclosed the vulnerability to Microsoft upon discovery and issued an advisory to vendors currently using the affected implementation. Microsoft has acknowledged the issue and indicated that future updates may include more precise permission alignment to reduce the risk of overexposure.
A Hidden Loophole
At the heart of the problem is the way the OneDrive File Picker handles OAuth permissions. Even when users intend to upload just one file, the File Picker implementation requests read access to the user’s entire drive. This stems from the absence of fine-grained OAuth scopes in OneDrive’s access model, which forces apps to ask for more access than they truly need.
To make matters worse, the consent screen shown to users during file uploads is unclear, offering little transparency about the actual level of access being granted. This leaves users unable to differentiate between legitimate apps requesting necessary permissions and potentially malicious ones exploiting the system.
“The vague language of the consent prompt means users may think they’re granting access to a single file when in fact they’re opening the door to everything stored on their OneDrive,” Oasis researchers explained.
Insecure Handling of Sensitive Tokens
The risks aren’t limited to just permission overreach. Oasis Security also discovered that the latest version of OneDrive File Picker (version 8.0) introduces a separate set of vulnerabilities related to how sensitive secrets are handled during authentication.
Developers using version 8.0 must manage authentication themselves, typically via Microsoft’s Authentication Library (MSAL) and the Authorization Code Flow. This setup often leads to security missteps:
- MSAL stores access tokens in the browser’s session storage as plain text.
- The use of Authorization Flow can issue refresh tokens, which remain valid for extended periods and allow continuous access to the user’s data.
Oasis points out that OpenAI, among others, currently uses version 8.0, raising concerns about token security in widely adopted applications.
What Users and Organizations Should Do
In light of these findings, Oasis Security strongly recommends that both individuals and enterprise administrators review their existing app permissions and take immediate steps to mitigate potential exposure.
Private users can inspect and manage their app permissions by logging into their Microsoft account, navigating to the Privacy section, and reviewing access under the “App Access” pane. Each app’s permissions can be reviewed in detail, and sharing can be stopped at any time. While revoking access will immediately invalidate refresh tokens, access tokens may take up to an hour to expire.
For firms, the process involves using the Entra Admin Center to audit enterprise applications. Admins can examine the scopes and permissions granted to each app and identify which users authorized them. Although filtering directly for delegated permissions isn’t currently supported, organizations can still manually investigate each app’s access rights and take corrective action where necessary.
Users can also test whether a website relies on OneDrive File Picker by initiating an upload through the site and observing the permissions requested during the consent flow.
Recommendations for Web App Developers
For developers, the safest option is to temporarily disable the use of OneDrive File Picker via OAuth until Microsoft provides a more secure implementation. As an interim solution, Oasis suggests offering users the ability to share view-only file links instead, acknowledging this may be less convenient but far safer.
If removing the File Picker is not a practical option, Oasis advises the following security measures:
- Avoid using refresh tokens by not requesting the “offline_access” scope and eliminating related logic from your codebase.
- If any refresh tokens are currently stored, securely dispose of them.
- Store access tokens securely, outside of browser session or local storage, and ensure they are discarded once no longer needed.
With millions of users relying on cloud integrations every day, Oasis Security’s findings underscore the critical need for more transparent and secure access control in cloud platforms. While Microsoft has signaled a willingness to improve OneDrive’s permission framework, the responsibility also lies with vendors and users to remain vigilant.
Over Permissioning Dangers
Vijay Dilwale, Principal Security Consultant at Black Duck, says the core issue is with Microsoft’s OneDrive File Picker, which requests broad access to a user’s entire OneDrive—even when the user is just trying to upload a single file.
“The user experience makes it seem like only the selected file is being shared, but in reality, the app often gets full read (and sometimes write) access to everything. It’s a classic case of over-permissioned OAuth scopes combined with a misleading consent flow. This design creates unnecessary exposure for both individuals and organizations, especially when third-party apps are involved.”
For security teams, Dilwale says this is a good opportunity to take a step back and review how cloud storage integrations are being used across the organization. “Start with configuration reviews—look at which apps have access to OneDrive and what scopes they’ve been granted. If you’re building apps internally, include OAuth scope reviews and token handling in your design and architecture reviews. And in higher-risk environments, consider pen testing workflows that involve file uploads or third-party integrations to see how far access really goes.”
More broadly, this is a reminder that default settings and user consent flows don’t always reflect secure design. Even when using well-known tools, we need to validate what’s really happening behind the scenes—and push for more granular, transparent options from our vendors, he adds.
Complete Read Access
Oasis Security’s recent research highlights a major privacy and security issue associated with Microsoft OneDrive’s integration with popular web applications such as ChatGPT, Slack, and Trello, says Eric Schwake, Director of Cybersecurity Strategy at Salt Security.
“Specifically, this problem enables these apps to obtain complete read access to a user’s entire OneDrive content instead of just the selected files for upload due to insufficiently detailed OAuth scopes in the official OneDrive File Picker. Additionally, sensitive secrets required for this access are often stored in an insecure manner by default. This situation presents a key API security challenge for security teams: excessively broad API access is frequently allowed without clear user awareness, as consent screen language can be ambiguous. With the emergence of Agentic AI, where services like ChatGPT heavily depend on APIs to access and handle user data, this wide-ranging access poses an even greater risk. This situation emphasizes the critical necessity for strong API governance to guarantee that all API permissions are meticulously managed, adhering to the principle of least privilege, while ensuring that tokens are securely handled to avoid extensive data exposure, Schwake adds.
Enforce Admin Consent
Jason Soroko, Senior Fellow at Sectigo, adds that users should assume that every SaaS plug-in they authorize has the keys to their personal or enterprise crown jewels unless proven otherwise. “Security teams should enforce ‘admin consent’ or conditional-access policies that block apps requesting anything beyond Files.Read. They should also review existing enterprise app registrations for high risk scopes and disable or re-authorise them with the least privilege alternatives and require short lived bound tokens via Continuous Access Evaluation and token-protection in Entra ID. Finally, I would recommend that security teams monitor Graph API and CASB logs for anomalous OneDrive access patterns and push Microsoft and vendors to adopt granular, and most importantly, file-scoped permissions and clearer consent UX.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.