A recently discovered vulnerability in Microsoft OneDrive’s File Picker feature is raising serious concerns over user data privacy and cloud storage security. Security researchers have revealed that this flaw could potentially allow any integrated web application, even those only intended to upload a single file, to access the user’s entire OneDrive account. This exposure is caused by overly broad OAuth permissions and vague consent screens that don’t clearly communicate what level of access users are actually granting.

The vulnerability stems from the way OneDrive handles OAuth scopes, which define what resources an application can access. Unfortunately, the OneDrive File Picker does not support fine-grained scopes, meaning instead of asking for access to just one file, it requests full read access to the entire drive. Apps like ChatGPT, Slack, Trello, and ClickUp, which integrate OneDrive for file uploads, are all potentially impacted by this issue.

Even more concerning is the user experience during the file upload process. The consent prompt shown to users before connecting OneDrive is vague and misleading. It does not clearly explain that by uploading a single file, users are actually granting permission for the app to read their entire cloud storage. This opens the door for malicious applications to exploit this broad access under the guise of legitimate functionality.

The situation is worsened by insecure token handling. OAuth tokens, which authorize applications to access OneDrive data, are sometimes stored in plain text within the browser’s session storage. In some cases, refresh tokens are also issued, allowing persistent access to user data without requiring further login, a serious long-term security risk if these tokens are not properly managed or revoked.

Microsoft has acknowledged the issue but has yet to release a fix. In the meantime, users and organizations are being advised to avoid using OneDrive’s OAuth-based file upload feature, especially in high-security environments. Developers and administrators are encouraged to avoid using refresh tokens, securely store any access tokens, and clear them as soon as they are no longer needed.

This vulnerability highlights a major flaw in how cloud permissions are managed, especially for widely used services like OneDrive. It underlines the critical importance of transparency in user consent flows, the need for more precise permission controls in OAuth implementations, and the risks posed by insecure token storage. As more cloud services become integrated into daily workflows, ensuring that users understand what access they're granting, and protecting that access must remain a top priority.