A recently discovered vulnerability in Microsoft’s OneDrive File Picker has raised significant alarm across the cybersecurity landscape, as it potentially allowed third-party applications extensive access to users’ private files, well beyond what was intended. The flaw, uncovered by cybersecurity firm Oasis Security, may have exposed millions of personal and business OneDrive accounts to unauthorized data access, highlighting a major gap in cloud storage security practices.
The flaw lies in the way OneDrive’s File Picker handles permissions during file uploads. Typically used to allow users to share files from their cloud storage with third-party apps like Zoom, Trello, ChatGPT, Slack, and ClickUp, the File Picker is expected to only grant access to a specific file chosen by the user. However, Oasis Security’s research found that instead of requesting permission for a single file, the File Picker grants access to the entire OneDrive directory.
According to the report, which was published on May 28, this vulnerability is rooted in the overly broad OAuth scopes requested by the OneDrive File Picker. OAuth is the industry-standard protocol for authorization. It allows apps to request access to certain resources, like a specific document or folder, without sharing the user’s password. However, in this case, the implementation requested full read access to the entire drive, opening the door for unintended data exposure.
The implications of this flaw are extensive. When users interacted with external platforms that integrate OneDrive for uploads, they unknowingly granted those applications far-reaching access to all their stored files. While the original intent may have been to share a single document, the reality was that external platforms could browse and read any content in the user’s cloud storage.
Oasis Security emphasized that the issue goes far beyond a mere privacy concern. It represents a substantial security gap that could be exploited by malicious actors or even inadvertently misused by well-intentioned applications. The access granted through OAuth tokens could last up to an hour per session, and if refresh tokens were employed, access could continue for much longer, without any user awareness or further permission.
In its advisory, Oasis stated, “This isn’t just a privacy concern—it’s a security vulnerability. The OneDrive File Picker requests overly broad permissions that stay active for up to an hour, or longer with token refreshes. This opens the door to sensitive data exposure.”
Microsoft has acknowledged receiving the research findings from Oasis and indicated that it would consider the feedback for future improvements. However, as of the latest reports, Microsoft has not offered a concrete fix or timeline to address the vulnerability. This has drawn concern from cybersecurity experts who believe the issue deserves more urgent attention.
The timing of this discovery also coincides with broader concerns about the security of OAuth-based systems. Just days before Oasis published its findings, attackers successfully exploited a flaw in Google’s OAuth framework, using a DKIM replay technique to send seemingly legitimate phishing emails. These incidents, occurring nearby, underscore the vulnerabilities inherent in OAuth implementations when not properly scoped or monitored.
For businesses and institutions that rely heavily on OneDrive for storing sensitive documents—such as financial records, internal communications, and proprietary data—the threat is significant. A single authorization could provide a third-party platform with access to everything, dramatically increasing the risk of data leaks and compliance violations under regulatory regimes like the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and others.
Oasis Security recommends that both individuals and IT departments take immediate steps to audit their Microsoft accounts. Users should review which third-party applications currently have access to their OneDrive storage and revoke permissions from any apps that appear unnecessary or unfamiliar. Furthermore, organizations are urged to train employees on how to safely use cloud-based tools and to implement policies that minimize risk from external integrations.
The issue also revives discussion around the importance of the “principle of least privilege”—a security best practice that stipulates users and systems should be given the minimum access necessary to perform their tasks. In the case of OneDrive File Picker, the lack of fine-grained control flies in the face of this principle. Without the ability to limit access to a specific file, users inadvertently enable overly broad permissions that significantly expand their vulnerability.
Security professionals argue that Microsoft must move quickly to implement more granular permission settings within its OAuth framework. This would allow developers to request access only to specific files or folders and would ensure users are fully informed about the scope of data being shared during authorization processes.
Until those changes are made, the onus remains on users to protect their data. Awareness is the first line of defense. Many users are unaware that uploading a file through a third-party app could lead to prolonged, full access to their entire OneDrive storage. By understanding the risks and proactively managing app permissions, users can reduce the likelihood of unwanted data exposure.
The broader cybersecurity community has also raised concerns about the systemic nature of excessive permissions in modern cloud ecosystems. As more productivity platforms offer integrations with major cloud providers like Microsoft and Google, the scope of access granted through OAuth has become a blind spot for many organizations. Developers are often incentivized to request broader permissions to streamline their app functionality, but this convenience can come at the cost of security.
In a statement summarizing their findings, the Oasis Security team concluded, “This is a wake-up call for developers, cloud providers, and users alike. Without stronger controls, excessive permissions will continue to be a silent vulnerability in countless systems.”
In conclusion, the OneDrive File Picker flaw serves as a stark reminder of the delicate balance between usability and security. While the integration of third-party apps with cloud services can enhance productivity and collaboration, it must be done with careful attention to data protection. Microsoft’s next steps in addressing this vulnerability will be closely watched by both security experts and users. In the meantime, vigilance, transparency, and smarter permission controls remain essential tools for preventing the unintended exposure of sensitive information.