OneDrive File Picker Flaw Gives Apps Full Access to User Drives – Source:hackread.com

A recent investigation by cybersecurity researchers at Oasis Security has revealed a data overreach in how Microsoft’s OneDrive File Picker handles permissions, opening the door for hundreds of popular web applications, including ChatGPT, Slack, Trello, and ClickUp, to access far more user data than most people realize.

According to the report, the problem comes from how the OneDrive File Picker requests OAuth permissions. Instead of limiting access to just the files a user selects for upload or download, the system grants connected applications broad read or write permissions across the user’s entire OneDrive. This means that when you click to upload a single file, the app may be able to see or modify everything in your cloud storage and maintain that access for extended periods.

A Hidden Access Problem

OAuth is the widely used industry standard that allows apps to request access to user data on another platform, with user consent. But as Oasis explains in their blog post shared with Hackread.com ahead of its publication on Wednesday, the OneDrive File Picker lacks “fine-grained” OAuth scopes that could better restrict what connected apps can see or do.

Microsoft’s current setup presents the user with a consent screen that suggests only the selected files will be accessed, but in reality, the application gains sweeping permissions over the entire drive.

This works quite differently compared to how services like Google Drive and Dropbox handle similar integrations. Both offer more precise permission models, allowing apps to interact only with specific files or folders without handing over the keys to the whole storage account.

Adding to the concern, older versions of the OneDrive File Picker (versions 6.0 through 7.2) used outdated authentication flows that exposed sensitive access tokens in insecure places, like browser localStorage or URL fragments. Even the latest version (8.0), while more modern, still stores these tokens in browser session storage in plain text, leaving them vulnerable if an attacker gains local access.

Millions of Users at Risk

Oasis Security estimates that hundreds of apps use the OneDrive File Picker to facilitate file uploads, putting millions of users at risk. For example, ChatGPT users can upload files directly from OneDrive, and with over 400 million users reported each month, the scale of possible over-permissioning is massive.

Oasis contacted both Microsoft and several app vendors ahead of releasing its findings. Microsoft acknowledged the report and indicated it may explore improvements in the future, but as of now, the system works as designed.

An Expert View on the API Security Challenge

Eric Schwake, Director of Cybersecurity Strategy at Salt Security, commented on the research, stating, “Oasis Security’s research points to a major privacy risk in how Microsoft OneDrive connects with popular apps like ChatGPT, Slack, and Trello. Because the OAuth scopes in the OneDrive File Picker are too broad, apps can gain access to an entire drive, not just selected files.”

He warned that “Combined with insecure storage of access tokens, this creates a serious API security challenge. As more tools rely on APIs to handle sensitive data, it’s essential to apply strict governance, limit permissions, and secure tokens to avoid exposing user information.”

What Users and Companies Should Do

For users, it’s worth checking which third-party apps have access to your Microsoft account. This can be done through the account’s privacy settings, where you can view app permissions and revoke any you no longer trust.

How to Check Which Third-Party Apps Have Access to Your Microsoft Account

• Go to your Microsoft Account page – Visit account.microsoft.com and sign in if you aren’t already.

• Click on “Privacy” – In the top or left menu, find and click the Privacy section.

• Find “Apps and Services” – Scroll down or look under account settings for Apps and Services you’ve given access to.

• View app details – You’ll see a list of apps that have permission to access your Microsoft account. Click Details on each app to see what data or scopes they can access.

• Revoke access if needed – If you no longer trust or use an app, click Remove these permissions or Stop sharing to revoke its access.

For companies, Oasis recommends reviewing enterprise applications in the Entra Admin Center and monitoring service principal permissions to see which apps may have broader access than intended. Using tools like the Azure CLI can help automate parts of this review.

For developers, the best immediate steps include avoiding the use of long-lived refresh tokens, securely storing access tokens, and disposing of them when no longer needed. Until Microsoft offers more precise OAuth scopes for OneDrive integrations, developers are encouraged to explore safer workarounds, like supporting “view-only” shared file links instead of direct picker integrations.