OneDrive OAuth Flaw May Expose All Your Files to Web Apps

Excessive access permissions leave your data more vulnerable than you might think: It’s a common scenario: you're using a web application and need to upload a file from your OneDrive. A familiar interface appears, you select your file, and you're done—or so you think. In reality, by clicking "Allow," you may have granted that application access to your entire OneDrive, not just the file you chose. This isn't a bug in Microsoft's implementation of OAuth but rather a consequence of how the OneDrive File Picker is configured. The issue? It uses a broad scope—Files.Read—which gives third-party apps read access to all files in your OneDrive, not just the one being uploaded. This breaks the principle of least privilege: only granting access to the data that's strictly necessary.

Lack of clarity in consent dialogs

The problem is made worse by vague consent dialogs that don’t clearly communicate how much access you're giving. “In simple terms,” explains Elad Luz, research lead at Oasis Security, “any web application that uses the OneDrive File Picker can access your entire OneDrive—not just the file you select. And worse, that access might persist even after the upload is complete.”

Researchers at Oasis Security tested dozens of applications and found this issue in many popular tools—including Slack, Trello, ClickUp, Zoom, and even ChatGPT. Hundreds of other apps may also be affected.

How other platforms do it better

The comparison with other cloud storage services is telling:

Google Drive uses much more granular scopes, allowing apps access only to files they’ve created or that were explicitly shared with them.
Dropbox’s Chooser SDK avoids OAuth altogether by using a proprietary access mechanism that only passes the chosen files.

These approaches help limit the risk in case of token theft or abuse. Microsoft, by contrast, seems to take a more coarse-grained approach, increasing the potential attack surface.

Real-world risks: token theft and forgotten data

Even if the app itself is legitimate, the storage and reuse of access tokens can be dangerous. “Long-lived tokens are often cached in localStorage or backend databases without encryption,” warns Jason Soroko, senior fellow at Sectigo. “If such a token is stolen, the attacker may have access to an entire tenant’s OneDrive environment.”

And many users underestimate how much sensitive data lives in their OneDrive folders. “Scanned IDs, tax forms, personal health records, or even synced camera photos can be quietly sitting in your OneDrive without you realizing it,” adds Jamie Boote, security consultant at Black Duck. “Any app you authorize might gain access to it all.”

What should users and IT teams do?

Soroko offers clear advice:

Enforce admin consent for any app requesting access to files.
Limit scopes to alternatives like Files.Read.Selected where available.
Review existing app registrations for over-permissioned scopes.
Require token protection and short-lived access via Entra ID and Conditional Access policies.

A call to action for Microsoft

Luz concludes: “A scope that is not fine-grained enough, combined with vague prompts, is a dangerous combination for both individuals and organizations.”

Until Microsoft updates its OAuth implementation to better reflect the principle of least privilege, the responsibility lies with security teams and users to be cautious. Just because it’s a Microsoft window doesn’t mean it’s safe by default.

Related ManageEngine tools that can help

To detect and mitigate over-permissioned apps and risky third-party integrations, you can leverage:

ManageEngine AD360: Unified identity and access management with granular control and visibility.
Log360 Cloud Security: SIEM with integrations that monitor cloud app access patterns and alert on anomalies.
M365 Manager Plus: Provides detailed auditing and reporting on Microsoft 365 activities, including token usage and file access.

Populaire artikelen