Critical OneDrive Flaw Lets Malicious Websites Access All Your Files

A newly revealed vulnerability in Microsoft’s OneDrive File Picker has placed millions of users at risk, enabling popular web applications, including ChatGPT, Slack, Trello, and ClickUp, to gain full read access to users’ entire OneDrive accounts.

The flaw, uncovered by the Oasis Security Research Team, stems from excessive OAuth permissions and insecure token management, raising urgent concerns for both individuals and enterprises.

Excessive Permissions:

The root of the issue lies in the OneDrive File Picker’s use of overly broad OAuth scopes.

OAuth is the industry-standard protocol that lets users grant third-party apps access to their data.

However, instead of limiting access to only the files a user selects for upload or sharing, the File Picker requests read (and sometimes write) permissions for the entire OneDrive account.

This design flaw means that when a user uploads a single document through a web app, that app can potentially read every ...