A important safety flaw in Microsoft’s OneDrive File Picker has uncovered hundreds of thousands of customers to unauthorized information entry, permitting third-party net functions to achieve full entry to customers’ complete OneDrive storage quite than simply chosen recordsdata.
Safety researchers from Oasis Safety reported on Might 28, 2025, that this vulnerability stems from overly broad OAuth scopes and deceptive consent screens that fail to speak the extent of entry being granted clearly.
The OneDrive File Picker flaw impacts tons of of broadly used net functions, together with ChatGPT, Slack, Trello, and ClickUp, probably placing hundreds of thousands of customers in danger.
OneDrive File Picker Vulnerability
The vulnerability arises from the picker’s implementation of inadequate OAuth scope granularity, which requests broad File Entry.Learn.All or Information.ReadWrite.All permissions even when customers intend to add or share a single file.
In contrast to rivals similar to Google Drive, which provides fine-grained OAuth scopes like drive.file to limit entry to app-created or user-selected recordsdata, Microsoft’s implementation grants unrestricted entry to all OneDrive content material.
Dropbox employs an much more safe strategy with its Chooser SDK, utilizing a proprietary endpoint that avoids OAuth flows completely.
The consent dialog introduced to customers is especially problematic, because it doesn’t convey {that a} click on grants the integrator entry to each file and folder within the person’s OneDrive, not simply the doc they meant to share.
Insecure token storage practices throughout totally different variations of the OneDrive File Picker compound the safety dangers, reads the Oasis Safety report.
Older variations (6.0-7.2) used implicit authentication flows that uncovered delicate entry tokens in URL fragments or saved them insecurely in browser localStorage.
The most recent model (8.0) requires builders to deal with authentication utilizing the Microsoft Authentication Library (MSAL), however nonetheless shops tokens in session storage in plain textual content.
MSAL’s Authorization Circulate implementation creates further vulnerabilities by probably issuing Refresh Tokens that reach entry durations past the everyday one-hour token expiration.
These long-lived tokens, when cached in localStorage or backend databases with out encryption, create persistent assault vectors for malicious actors to entry complete OneDrive repositories.
The technical implementation requires builders to request permissions similar to MyFiles.Learn, Websites.Learn.All, or Information.ReadWrite.All by means of delegated permissions, however the lack of file-scoped permissions makes it not possible to restrict entry to particular paperwork.
Microsoft Response
Microsoft has acknowledged the safety report and indicated it “could take into account enhancements sooner or later,” although no particular timeline has been supplied.
Safety specialists advocate rapid motion from each customers and organizations to mitigate dangers.
For particular person customers, specialists advise reviewing third-party app entry by means of Microsoft Account privateness settings and revoking pointless permissions.
Organizations ought to implement admin consent insurance policies or conditional-access controls that block functions requesting something past Information.Learn permissions.
Internet utility builders are urged to keep away from requesting offline entry scopes that generate Refresh Tokens and to implement safe token storage practices.
Moreover, safety groups ought to monitor Graph API and Cloud Entry Safety Dealer (CASB) logs for anomalous OneDrive entry patterns.
Attempt in-depth sandbox malware evaluation for your SOC workforce. Get ANY.RUN particular provide solely till Might 31 -> Attempt Right here
