OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive

Oasis Security's research team uncovered a flaw in Microsoft's OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp–meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.

Upon discovery, Oasis reported the flaw to Microsoft and advised vendors using OneDrive File Picker of the issue. In response, Microsoft is considering future improvements, including more precise alignment between what OneDrive File Picker does and the access it requires. 

Below are details of the flaw and mitigation strategies. You can read the Oasis Security Research team’s full report here.

‍

The Flaws 

Excessive Permissions in the OneDrive File Picker

The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive. 

While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks.

The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.

‍

Insecure Storage of Sensitive Secrets

Sensitive secrets used for this access are often stored insecurely by default.

The latest version of OneDrive File Picker (8.0) requires developers to take care of the authentication themselves, typically using the Microsoft Authentication Library (MSAL) and most likely using the Authorization Flow. 

Security risks ensue:

• MSAL stores sensitive Tokens in the browser’s session storage in plain text. 
• With Authorization Flows a Refresh Token may also be issued, which lengthens the access period, providing ongoing access to the user's data. 

Notably, OpenAI uses version 8.0.

‍

Mitigation Steps

The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk. Oasis Security recommends that individuals and technology leaders review the third-party access they’ve granted to their account to mitigate the potential risks raised by these issues.

‍

Check Whether or Not You’ve Previously Granted Access to a Vendor

‍

How to for Private Accounts

• Log in to your Microsoft Account.
• In the left or top pane, click on "Privacy".
• Under "App Access", select the list of apps that have access to your account.
• Review the list of apps, and for each app, click on “Details” to view the specific scopes and permissions granted.
• You can “Stop Sharing” at any time. Consider that an Access Token takes about an hour to expire regardless of when you clicked stopped sharing. This would however revoke a Refresh Token if present.

‍

How to for Organizations

• In the Entra Admin Center, navigate to the list of enterprise applications.
• The list will display an Application ID column (Client ID) and an Object ID column (also known as the Service Principal Object ID).
• Currently, there is no way to filter for Delegated Applications directly from this screen.
• To check the permissions granted to each app, click on an application, then click on the “Permissions” button in the left pane. This will list all granted scopes and you can verify whether they are delegated.
• You can also view the user who granted the permissions.

‍

Check if a Site Uses the OneDrive File Picker

To check if a site is using the OneDrive File Picker:

• Attempt to upload or download a file to OneDrive through the site's interface.
• When the consent prompt appears, check whether OneDrive permissions are being requested.

‍

Mitigation for Web Apps

If possible, temporarily remove the option to upload files using OneDrive through OAuth until Microsoft provides a secure alternative. In the meantime, consider exploring safer, simpler workarounds, such as supporting shared "view-only" file links from OneDrive, understanding that this flow may be less convenient for users.

If removing the File Picker is not a feasible solution for you, Oasis Security recommends the following:

• Avoid using Refresh Tokens
  
  • Do not request the "offline access" scope.
  • Remove any code or storage logic related to keeping and using Refresh Tokens.
  • If any Refresh Tokens are currently stored, dispose of them in a secure manner.

• Store your Access Tokens in a secure manner and dispose of them when no longer needed.
  
  • Review the code that handles Access Tokens to ensure they are not exposed to third parties (e.g., by being stored in session or local storage).
    

For further details on the flaws and mitigation strategies, you can read the Oasis Security Research team’s full report here.

‍

About the Oasis Research Team

The Oasis Security Research Team is a global group of experts specializing in identity and cloud-native security. With deep experience in offensive and defensive operations, vulnerability research, and threat analysis, we focus on protecting hybrid cloud ecosystems and securing non-human identities. Our mission is to uncover vulnerabilities, analyze emerging threats, and collaborate with vendors to strengthen security across the industry, providing actionable insights that drive resilience and innovation.