Published on: June 10, 2025
A serious security flaw in Microsoft’s OneDrive File Picker could let websites access all of a user’s cloud files, not just the ones they intend to upload. The issue was discovered by the Oasis research team.
The flaw comes from “overly broad OAuth scopes” in the OAuth system and vague consent screens. These allow apps to read an entire OneDrive account, even when only one file is chosen for upload.
Apps like ChatGPT, Slack, Trello, and ClickUp are believed to be affected due to their connection with Microsoft’s cloud services.
The consent screen shown to users doesn’t clearly explain what’s being accessed, which can lead to accidental “customer data leakage and violation of compliance regulations.”
Oasis also warned that access tokens are sometimes stored insecurely in plain text in a browser’s session storage. In some cases, refresh tokens are used, giving apps long-term access without needing users to log in again.
Microsoft has acknowledged the problem but hasn’t released a fix yet. Until then, experts suggest avoiding file uploads through OneDrive OAuth or disabling refresh tokens and storing access tokens more securely.
“This discovery reinforces the importance of continuous vigilance in OAuth scope management, regular security assessments, and proactive monitoring to protect user data,” stated the Oasis research team.
Source of Article
