A newly disclosed security concern is raising alarms for anyone using Microsoft OneDrive. According to cybersecurity researchers, third-party web apps that integrate with OneDrive’s file picker may gain access to all your stored files—even when you only intend to upload one.
The issue stems from how OneDrive handles OAuth permissions. Instead of limiting access to just the file a user selects, the OneDrive File Picker grants read access to the user’s entire OneDrive account. This broad permission model violates the principle of least privilege, and many users have no idea they’re exposing such a wide surface of sensitive information.
Elad Luz, Head of Research at Oasis Security, explains it plainly: if you use a web app to upload or download a file via OneDrive, that app can potentially read everything in your cloud storage. Worse still, this access doesn’t always end when the upload is complete.
What makes this more dangerous is the vague consent prompts. When users click “Allow,” they’re not clearly told they’re giving an app access to their full OneDrive. Many people just click through, assuming they’re only sharing one file.
Popular Apps Affected, Broader Risk
Luz lists several mainstream platforms—like ChatGPT, Slack, Trello, Zoom, and ClickUp—that could be impacted by this over-permissive access. And these are just the tip of the iceberg. Hundreds of other third-party applications may be operating with similar unchecked access.
In contrast, other cloud storage services offer tighter security controls. Google Drive, for instance, lets apps request access only to the files they’ve created or those explicitly shared by the user. Dropbox uses its own Chooser SDK that bypasses standard OAuth flows altogether, relying instead on a proprietary and more restrictive file selection method.
Microsoft’s current approach isn’t technically flawed, but it leaves too much room for misconfiguration and exploitation. Security experts warn that the design significantly increases the potential attack surface.
Jason Soroko, Senior Fellow at Sectigo, says the issue isn’t just the permissions, but how misleading the consent interface is. “Users think they’re sharing a document, not handing over the keys to their digital kingdom,” he cautions. And once access is granted, those long-lived OAuth tokens—often stored in unencrypted databases or browser localStorage—can be stolen and used by attackers to browse through all of a user’s files.
Jamie Boote, a principal security consultant at Black Duck, highlights what’s at stake: “People forget just how much personal and sensitive data ends up in OneDrive. From scanned IDs and medical records to private photos, your OneDrive often contains much more than you realize.”
What Should Be Done?
Security experts stress the importance of vigilance. Just because the integration is from Microsoft doesn’t mean it’s automatically secure.
Organizations should enforce stricter controls, like admin consent policies or conditional access rules that limit applications to the most basic permissions (like Files.Read). Security teams are advised to audit current enterprise app authorizations, look out for overly broad scopes, and reconfigure them with minimum necessary access.
Another key measure is requiring short-lived tokens and enabling token protection features through Microsoft’s Entra ID system.
The bottom line is clear: both Microsoft and its users need to rethink assumptions around file sharing and application security. “A vague permission request and an overly broad scope are a dangerous combo,” Luz concludes. Until Microsoft provides more fine-grained controls, every file shared through OneDrive could come with unintended exposure.
