Oasis Security's research team uncovered a flaw in Microsoft's OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp–meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.
Upon discovery, Oasis reported the flaw to Microsoft and advised vendors using OneDrive File Picker of the issue. In response, Microsoft is considering future improvements, including more precise alignment between what OneDrive File Picker does and the access it requires.
Below are details of the flaw and mitigation strategies. You can read the Oasis Security Research team’s full report here.
The Flaws
Excessive Permissions in the OneDrive File Picker
The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive.
While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks.
The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.
Insecure Storage of Sensitive Secrets
Sensitive secrets used for this access are often stored insecurely by default.
The latest version of OneDrive File Picker (8.0) requires developers to take care of the authentication themselves, typically using the Microsoft Authentication Library (MSAL) and most likely using the Authorization Flow.
Security risks ensue:
MSAL stores sensitive Tokens in the browser’s session storage in plain text.
With Authorization Flows a Refresh Token may also be issued, which lengthens the access period, providing ongoing access to the user's data.
Notably, OpenAI uses version 8.0.
Mitigation Steps
The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk. Oasis Security recommends that individuals and technology leaders review the third-party access they’ve granted to their account to mitigate the potential risks raised by these issues.
Check Whether or Not You’ve Previously Granted Access to a Vendor
How to for Private Accounts
Log in to your Microsoft Account.
In the left or top pane, click on "Privacy".
Under "App Access", select the list of apps that have access to your account.
Review the list of apps, and for each app, click on “Details” to view the specific scopes and permissions granted.
You can “Stop Sharing” at any time. Consider that an Access Token takes about an hour to expire regardless of when you clicked stopped sharing. This would however revoke a Refresh Token if present.
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...
In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.
New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.
Microsoft Threat Intelligence presents cases of threat actors misusing OAuth applications as automation tools in financially motivated attacks.
Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange Online service to launch spam runs.
GitHub revealed today that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories.
