Security Flaw Discovered in Microsoft OneDrive File Picker
Published on May 28, 2025 by Ravie Lakshmanan
Tags: Data Privacy, Vulnerability
A Serious Security Vulnerability
Recent findings from cybersecurity researchers have revealed a notable security flaw in Microsoft’s OneDrive File Picker. This vulnerability could potentially enable websites to gain access to a user’s complete cloud storage rather than just the files specifically selected for upload. The implications of this issue are significant, particularly for users concerned about data privacy.
According to the Oasis Research Team, the crux of the problem lies in the overly broad OAuth scopes and misleading consent screens. These elements combine to misrepresent the level of access users are granting, leading to concerns about potential customer data leakage and violations of compliance regulations.
Apps at Risk
Several popular applications, such as ChatGPT, Slack, Trello, and ClickUp, may be affected by this vulnerability due to their integration with Microsoft’s cloud services. The OneDrive File Picker lacks fine-grained OAuth scopes, which means it often requests read access to the entire drive even when a user intends to upload only a single file. This excessive permission creates a landscape where user data is more vulnerable to exploitation.
Oasis researchers emphasize the dangers of this situation. They pointed out that the consent prompt presented to users before uploading a file is often vague. This lack of clarity may not fully communicate the extent of access being granted, leaving users unaware of the potential risks.
Distinguishing Threats
The researchers indicated that the absence of precise OAuth scopes makes it challenging for users to differentiate between legitimate applications that ask for excessive permissions and malicious apps that aim for broad access to files. This opens the door for potential security breaches, as it becomes difficult for users to determine which applications could be posing a risk.
Security of OAuth Tokens
Adding to the vulnerability, the OAuth tokens used to grant access are frequently stored insecurely. Oasis pointed out that these tokens are saved in the browser’s session storage as plain text. This practice raises significant concerns regarding data security, particularly when authorization workflows could involve issuing refresh tokens. Such tokens allow applications to maintain ongoing access to user data, renewing their capabilities without reauthorization from users when the current token expires.
Microsoft’s Response and Recommendations
In light of these findings, Microsoft has acknowledged the vulnerability following a responsible disclosure by the Oasis team. However, there is currently no established fix for the issue. As a precautionary measure, it may be advisable for users to temporarily avoid utilizing OneDrive’s file upload feature via OAuth until a more secure solution is developed. Another recommendation includes eliminating refresh tokens and ensuring that access tokens are stored securely, as well as disposed of when they are no longer necessary.
When approached for comments, Microsoft expressed appreciation for the collaboration with Oasis security on this matter. They noted that user consent is required before any access is granted, stating, "This technique does not meet our bar for immediate servicing." The company hinted at the possibility of enhancing user experience in future updates.
The Need for Vigilance
Oasis strongly highlighted the importance of careful management of OAuth scopes, regular security assessments, and proactive monitoring of applications to safeguard user data. The researchers asserted that the combination of vague consent prompts and broad OAuth scopes presents a serious risk for both individual and enterprise users. Continuous vigilance is crucial in preventing potential data leaks and ensuring that user privacy remains intact.
This situation underscores the complexities and challenges inherent in cloud services and user data protection. As the digital landscape evolves, maintaining security protocols must remain a priority for both users and service providers.
Follow Us
For further updates on cybersecurity and data privacy, feel free to follow us on Twitter and LinkedIn. Keep your data secure!
