Microsoft OneDrive users may have unwittingly provided hundreds of apps with access to the full contents of their cloud storage, according to a new research report from Oasis Security. The researchers found a security flaw in OneDrive File Picker that grants apps access to any and all files in the account when the user grants permission for just one file upload, with the language governing this process cited as too “vague” and “unclear” to communicate what is actually happening.
The security flaw stems from OAuth’s interaction with the apps, and a fix is not yet available. Impacted apps that might have overly broad reach into a user’s cloud storage via File Picker include Slack, Trello, Phenome and ClickUp. The report also mentions ChatGPT, a particularly concerning element given the unique risks of “ingestion” of user data into AI training models.
Lack of solution for security flaw prompts recommendation to disable OneDrive uploads
The security flaw potentially impacts any website or app that supports OneDrive file uploads. The Oasis researchers suggest some mitigation measures, but ultimately there is no real fix at this point and it may be necessary to entirely avoid or disable this interaction to ensure the integrity of cloud storage accounts. Microsoft has thus far only said that it has “taken note” of the report and “may consider improvements” in the future.
The problem is not so much a vulnerability as that OAuth simply lacks “fine-grained” oversight for OneDrive, essentially requiring it to request access to the whole of a cloud account when using File Picker rather than the one or more specified files the user is trying to upload. This is compounded by unclear language about how much permission is actually being granted when a user uploads their files, ultimately meaning that many users have unknowingly granted extensive access to an assortment of apps.
Prior versions of File Picker could request either or both read or write access to the entire contents of OneDrive cloud storage; as of the 7.0 edition, available since 2016, both permissions are automatically requested for all file transfers the first time the user interacts with File Picker.
Microsoft’s seeming dismissal of the issue thus far seems to be tied to the fact that it is not strictly a “security flaw” if the user consents to these permissions, but the Oasis report highlights the fact that users are very likely not aware that the access they are granting is this broad. It notes that the authorization prompt asks users to give the app permission to “open OneDrive files,” a phrasing that is commonly used throughout both Microsoft and other ecosystems such as Android to imply that the permission for specific files must be granted individually by the user during discrete transactions. An additional prompt to grant permission to “update data” that has been shared does not sufficiently make clear that this means write access to the whole of the cloud account.
Exploitation of the security flaw would require proactive malicious action by the app developer, and it appears some may well not be aware how much access they have been granted under the OAuth scheme. However, it is clear that this is wide open to abuse by a malicious actor that knowingly exploits the situation.
Secondary issues with File Picker access tokens
The researchers note some additional potential security flaws with the access tokens issued by File Picker. The token granted after the user provides consent allows the app to make API requests, is valid for one hour and cannot be revoked. Versions of File Picker prior to 7.2 could expose these tokens in URL fragments, and version 7.0 specifically also wrote sensitive tokens to the browser’s localStorage in plain text. The most current version, 8.0, stores sensitive tokens in the browser’s session storage in plain text when the app developer uses the Microsoft Authentication Library (MAL) for authorization as is recommended by official documentation.
Individual users can view and disable these app permissions via their Microsoft accounts, but this will not revoke the access token that is valid for one hour after using File Picker. Admins can do the same thing for individual users via the Entra Admin Center. But this is time-consuming and does not represent a real fix to the problem. The only real answer, at least until such time as Microsoft might address the issue, is to disable the ability to upload files to apps via OneDrive and provide “view-only” file links as an alternative.
The security flaws are concerning when paired with any app, but an extra layer is added when considering the general opacity of AI model data handling and storage and the fact that the information potentially lives on forever once taken in. It is unclear if any are helping themselves to cloud files, but the possibility is there. Eric Schwake, Director of Cybersecurity Strategy at Salt Security, expands on this particular threat: “Oasis Security’s recent research highlights a major privacy and security issue associated with Microsoft OneDrive’s integration with popular web applications such as ChatGPT, Slack, and Trello. Specifically, this problem enables these apps to obtain complete read access to a user’s entire OneDrive content instead of just the selected files for upload due to insufficiently detailed OAuth scopes in the official OneDrive File Picker. Additionally, sensitive secrets required for this access are often stored in an insecure manner by default. This situation presents a key API security challenge for security teams: excessively broad API access is frequently allowed without clear user awareness, as consent screen language can be ambiguous. With the emergence of Agentic AI, where services like ChatGPT heavily depend on APIs to access and handle user data, this wide-ranging access poses an even greater risk. This situation emphasizes the critical necessity for strong API governance to guarantee that all API permissions are meticulously managed, adhering to the principle of least privilege, while ensuring that tokens are securely handled to avoid extensive data exposure.”
Jamie Boote, Associate Principal Security Consultant at Black Duck, adds: “Trust isn’t just a word that you should pass over when clicking through. Whenever you’re prompted to answer, “Do you wish to trust this application with access to your data?” you are making a risk evaluation. It’s easy to default to yes, even if you don’t really need a flashlight app that has access to your contacts and call history, because the consequences of losing the privacy of your data often times goes unfelt until your identity is stolen or someone uses that information in a spear phishing attack. Many people forget how vital the data in their One- Drive folders often are – scanned documents that end up in the “My Pictures” or “My Documents” folders may hold the key to one’s credit identity and profile. Private medical or banking records may get shuffled in and forgotten about, and private photos that were taken by accident synced from your phone to your computer can all silently file into your One-Drive enabled folders. Whenever an app asks if you trust it, you’re trusting it with your most precious data. Good cybersecurity hygiene isn’t only about keeping the bad actors out, it’s often about making more intelligent decisions about who you let in and how far in they can get. When you’re making the call about whether you trust something or someone, you should also factor in what you’re trusting them with.”
Jason Soroko, Senior Fellow at Sectigo, suggests the following as added mitigation measures: “Users should assume that every SaaS plug-in they authorize has the keys to their personal or enterprise crown jewels unless proven otherwise. Security teams should enforce ‘admin consent’ or conditional-access policies that block apps requesting anything beyond Files.Read. They should also review existing enterprise app registrations for high risk scopes and disable or re-authorise them with the least privilege alternatives and require short lived bound tokens via Continuous Access Evaluation and token-protection in Entra ID. Finally, I would recommend that security teams monitor Graph API and CASB logs for anomalous OneDrive access patterns and push Microsoft and vendors to adopt granular, and most importantly, file-scoped permissions and clearer consent UX.”
