Web apps may access all files in your OneDrive

Every time you upload a file to a website using OneDrive, you might be sharing far more than you intended. Behind a simple "choose file" button, many popular websites, including productivity tools, job platforms, and even AI apps, may be granted access to your entire OneDrive account.

This isn’t just a privacy concern, it’s a potential security gap affecting millions of users and potentially exposing sensitive personal and professional information. This happens because of how Microsoft’s OneDrive File Picker works: it requests broad permissions that stay active for up to an hour, or longer if refresh tokens are used.

Even trusted apps may be unintentionally overreaching, simply because of how the system is designed.

‍

What can you do today:

• Check what apps have access to your OneDrive: and revoke anything that looks suspicious.‍
• Be cautious when uploading files from your cloud storage to unfamiliar websites.
• Spread the word. Most people have no idea this is happening and that’s a big part of the problem.

‍

Protect your data. Control your cloud. Choose safer sharing.