Cybersecurity researchers identified a security vulnerability in Microsoft’s OneDrive File Picker that could allow malicious websites to access entire cloud storage content. The flaw is due to overly broad OAuth permissions and unclear consent prompts, risking data leaks and regulatory violations. #OneDriveVulnerability #OAuthFlaw
Keypoints
- The security flaw affects Microsoft’s OneDrive File Picker and related apps like ChatGPT, Slack, Trello, and ClickUp.
- The issue stems from excessive OAuth permissions requesting access to the entire drive, even for single file uploads.
- User consent screens are vague, not clearly indicating the extent of access being granted, increasing security risks.
- OAuth tokens are stored insecurely in plaintext within browser session storage, which could be exploited.
- Microsoft has acknowledged the problem but has not yet issued a fix; interim solutions include disabling OAuth file uploads and secure token management.
Read More: https://thehackernews.com/2025/05/microsoft-onedrive-file-picker-flaw.html