A significant vulnerability in Microsoft’s OneDrive File Picker has been uncovered by Oasis Security, raising concerns for organizations using Microsoft 365 or integrating third-party apps with OneDrive. This blog post explains the issue, its risks, and how you can protect your data.
What was discovered?
The OneDrive File Picker is a feature that lets users select files from their Microsoft 365 account within third-party applications. However, Oasis Security discovered a flaw in how it manages permissions. When a user picks a file, the File Picker requests overly broad OAuth permissions like Files.Read.All or Files.ReadWrite.All; which give the app access to the entire OneDrive account, not just the chosen file.
This issue spans multiple versions:
- Versions 6.0 to 7.2: These used implicit authentication flows, storing access tokens insecurely in browser localStorage or URL fragments, making them vulnerable to theft;
- Version 8.0: This version switched to the Microsoft Authentication Library (MSAL), but it still stores tokens in plaintext in browser session storage, which isn’t fully secure.
What’s the risk?
If exploited, this vulnerability could let a malicious or compromised third-party app access all files in a user’s OneDrive account after the user grants initial consent. While user approval is required via an OAuth consent screen, the screen’s unclear wording might trick users into approving more access than intended.
The risks include:
- Unauthorized Access: Sensitive files—like financial records or confidential documents—could be exposed.
- Data Leakage: A compromised app could leak data to unauthorized parties.
- Persistent Access: If refresh tokens are granted (via the offline_access scope), the app could retain access without further user input.
Importantly, this issue is limited to the same Microsoft 365 tenant—it does not allow access across different organizations.
Has Microsoft fixed it?
Microsoft was informed through responsible disclosure and has acknowledged the vulnerability. However, they don’t see it as an urgent fix since user consent is involved. They’ve suggested possible future improvements but haven’t committed to a timeline, leaving mitigation up to users and organizations.
What can you do?
Here are practical steps to reduce your risk:
- Audit Connected Apps: Check and revoke permissions for untrusted or unused third-party apps in the Microsoft Account privacy settings or the Entra Admin Center.
- Limit Permissions: When approving apps, avoid broad scopes like Files.Read.All. Opt for narrower permissions if available.
- Avoid Refresh Tokens: Developers should skip requesting offline_access to prevent long-term access without user oversight.
- Secure Token Storage: If you’re a developer, store tokens securely (e.g., server-side) instead of in browser storage.
- Use Alternatives: Consider disabling File Picker integration or sharing view-only links instead of granting direct access.
Organizations can also enforce admin consent or conditional-access policies to restrict apps to minimal permissions, like Files.Read.
Why it matters
With growing reliance on cloud tools and third-party integrations, controlling access permissions is vital for data security. This vulnerability shows how even trusted platforms like OneDrive can pose risks if not managed carefully. By auditing permissions and adopting secure habits, you can safeguard your organization’s sensitive data.
Want the full technical breakdown?
Oasis Security has published a detailed analysis of their findings here:
👉 Read the full report