Critical OneDrive Security Flaw Exposes Users' Cloud Storage to Unauthorized Access

A severe security vulnerability in Microsoft's OneDrive File Picker allows third-party applications to gain excessive access to users' cloud storage, according to a new report from Oasis Security. The flaw affects popular apps like Slack, ChatGPT, Trello, and ClickUp, potentially exposing sensitive user data through over-permissioned OAuth scopes. This vulnerability highlights the importance of understanding fundamental cloud computing security challenges.

Understanding the Security Risk

The core issue lies in the misleading consent process. When users attempt to share a single file, they unknowingly grant applications broad access to their entire OneDrive contents. These permissions persist through access tokens that remain active for at least an hour and can be refreshed for extended periods. Organizations must prioritize implementing robust cloud data protection measures to mitigate such risks.

"It's a classic case of over-permissioned OAuth scopes combined with a misleading consent flow," explains Vijay Dilwale, Principal Security Consultant at Black Duck. "This design creates unnecessary exposure for both individuals and organizations, especially when third-party apps are involved."

Technical Vulnerabilities and Storage Concerns

The security flaws extend beyond permission issues. Older versions of the OneDrive File Picker (6.0-7.2) stored access tokens insecurely in browser localStorage or exposed them via URL fragments. Even the current version 8.0 stores tokens in plain text within sessionStorage, creating potential security risks.

Eric Schwake, Director of Cybersecurity Strategy at Salt Security, emphasizes the API security implications: "Broad access is allowed without clear user awareness, as consent language is vague. With Agentic AI systems like ChatGPT relying on APIs to handle user data, wide-ranging access poses an even greater risk."

Protective Measures and Recommendations

Organizations and users can take several steps to protect themselves:

For Organizations:

• Implement admin consent requirements for third-party app access
• Audit app registrations and disable high-risk scopes
• Enable Continuous Access Evaluation in Entra ID
• Monitor Graph API logs for suspicious OneDrive access patterns

For Individual Users:

• Regular review and revocation of third-party app permissions
• Careful consideration before granting access permissions
• Assessment of sensitive data stored in OneDrive
• Understanding proper file management practices in cloud storage

How This Information Can Be Used:

1. IT administrators can implement immediate security measures to protect organizational data
2. Developers can improve their applications' security by implementing proper token handling
3. Individual users can better understand and manage their cloud storage permissions

Microsoft has acknowledged the vulnerability and is evaluating changes to align File Picker behavior with security best practices, though no official fix has been released as of May 2025.

For more information about OAuth security best practices, visit Microsoft's OAuth Security Guidelines.