Microsoft OneDrive File Picker Vulnerability Exposes Users\u2019 Entire Cloud Storage to Websites
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical security flaw in Microsoft\u2019s OneDrive File Picker has exposed millions of users to unauthorized data access, allowing third-party web applications to gain complete access to users\u2019 entire OneDrive storage rather than just selected files.\u00a0<\/p>\n
Security researchers from Oasis Security reported on May 28, 2025, that this vulnerability stems from overly broad OAuth<\/a> scopes and misleading consent screens that fail to communicate the extent of access being granted clearly.<\/p>\n The OneDrive File Picker flaw affects hundreds of widely used web applications, including ChatGPT, Slack, Trello, and ClickUp, potentially putting millions of users at risk.\u00a0<\/p>\n The vulnerability arises from the picker\u2019s implementation of insufficient OAuth scope granularity, which requests broad File Access.Read.All or Files.ReadWrite.All permissions even when users intend to upload or share a single file.<\/p>\n Unlike competitors such as Google Drive, which offers fine-grained OAuth scopes like drive.file to restrict access to app-created or user-selected files, Microsoft\u2019s implementation grants unrestricted access to all OneDrive content.\u00a0<\/p>\n Dropbox employs an even more secure approach with its Chooser SDK, using a proprietary endpoint that avoids OAuth flows entirely.<\/p>\n The consent dialog presented to users is particularly problematic, as it doesn\u2019t convey that a click grants the integrator access to every file and folder in the user\u2019s OneDrive, not just the document they intended to share.<\/p>\n Insecure token storage practices across different versions of the OneDrive File Picker compound the security risks, reads the Oasis Security report<\/a>.<\/p>\n Older versions (6.0-7.2) used implicit authentication flows that exposed sensitive access tokens in URL fragments or stored them insecurely in browser localStorage.\u00a0<\/p>\n The latest version (8.0) requires developers to handle authentication<\/a> using the Microsoft Authentication Library (MSAL), but still stores tokens in session storage in plain text.<\/p>\n MSAL\u2019s Authorization Flow implementation creates additional vulnerabilities by potentially issuing Refresh Tokens that extend access periods beyond the typical one-hour token expiration.\u00a0<\/p>\n These long-lived tokens, when cached in localStorage or backend databases without encryption, create persistent attack vectors for malicious actors to access entire OneDrive repositories.<\/p>\n The technical implementation requires developers to request permissions such as MyFiles.Read, Sites.Read.All, or Files.ReadWrite.All through delegated permissions, but the lack of file-scoped permissions makes it impossible to limit access to specific documents.<\/p>\n Microsoft has acknowledged the security report and indicated it \u201cmay consider improvements in the future,\u201d though no specific timeline has been provided.\u00a0<\/p>\n Security experts recommend immediate action from both users and organizations to mitigate risks.<\/p>\n For individual users, experts advise reviewing third-party app access through Microsoft Account privacy settings and revoking unnecessary permissions.\u00a0<\/p>\n Organizations should implement admin consent policies or conditional-access controls that block applications requesting anything beyond Files.Read permissions.<\/p>\n Web application developers are urged to avoid requesting offline access scopes that generate Refresh Tokens and to implement secure token storage practices.\u00a0<\/p>\n Additionally, security teams should monitor Graph API and Cloud Access Security Broker (CASB)<\/a> logs for anomalous OneDrive access patterns.<\/p>\n Try in-depth sandbox malware analysis for\u00a0your SOC tea<\/strong>m. Get\u00a0ANY.RUN special offer only\u00a0until May 31<\/strong>\u00a0->\u00a0Try Here<\/a><\/strong><\/p>\n The post Microsoft OneDrive File Picker Vulnerability Exposes Users\u2019 Entire Cloud Storage to Websites<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nOneDrive File Picker Vulnerability<\/strong><\/h2>\n
Microsoft Response<\/strong><\/h2>\n