Cybersecurity experts have found a security issue in Microsoft’s OneDrive File Picker that could let websites access a user’s entire cloud storage, not just the files they choose to upload.
According to the Oasis Research Team, the problem comes from overly broad permissions (OAuth scopes) and consent screens that don’t clearly explain what users are agreeing to. This flaw could lead to serious problems, like leaking private data and breaking data protection rules.
Several popular apps that connect with Microsoft’s cloud services, such as ChatGPT, Slack, Trello, and ClickUp, may also be affected by this vulnerability.
Oasis pointed out that the problem stems from OneDrive’s file picker requesting access to the whole drive, even if the users only want to upload one file. This happened because OneDrive doesn’t support fine-grained OAuth scopes.
Making things worse, the message users see before uploading a file doesn’t clearly explain what level of access they’re actually giving. This can leave users exposed to unexpected security risks.
Oasis explained that without more detailed permission options, users can’t tell the difference between harmful apps trying to access all their files and well-meaning apps that request too much access simply because there’s no safer way to do it.
The New York-based cybersecurity firm also warned that the OAuth tokens used to grant access are often stored in an unsafe way, in plain text inside the browser’s session storage. This makes them easier for attackers to steal if the browser is compromised.
Another concern is the use of refresh tokens in the login process. These tokens let apps keep accessing user data by getting new access tokens automatically without asking the user to log in again after the original token expires. This increases the risk if the token is ever stolen.
After being informed responsibly, Microsoft confirmed the flaw, but a patch hasn’t been rolled out yet. Until then, the best move is to turn off OneDrive uploads via OAuth if possible. Developers should also be careful with how they handle access: skip refresh tokens when you can, lock down access tokens, and toss them when you’re done.
Oasis warned that the real danger lies in how wide-open OAuth permissions are, paired with Microsoft’s vague consent messages. It’s a wake-up call to tighten permission scopes, do regular security check-ins, and keep a closer eye on how apps handle user data.
