The entire contents of your OneDrive may be exposed every time you connect to a third-party application. A recent report reveals that uploading a single file from Microsoft OneDrive to a third-party app may expose everything in your OneDrive folders to that app. Hackers could use this exposure to steal or even encrypt your data and hold it for ransom. Both personal and enterprise users are at risk.
We’ve all become accustomed to using third-party apps to make our personal and work lives easier. While Slack, ChatGPT, Trello and others can streamline our work, they also make our systems more vulnerable to threats. In late May, security researchers uncovered and announced a new threat that could be affecting all users who transfer files between OneDrive and third-party apps.
Discovery and Response
Security researchers at Oasis Research Team identified “excessive permissions” in the OneDrive File Picker tool. They announced their discovery in an article published in late May 2025. Their report highlights that, due to a lack of fine-grained OAuth scopes, the file picker requests access to an entire OneDrive account, even when the user only selects one file.
Microsoft has acknowledged the problem, but there is no fix or fix timeline as of this publication. Here is the software giant’s public statement: “We appreciate the partnership with Oasis security in responsibly disclosing this issue. This technique does not meet our bar for immediate servicing as a user must provide consent to the application before any access is allowed. We will consider improvements to the experience in a future release.”
How the Vulnerability Works
The overly permissive OneDrive File Picker carries the blame for this vulnerability.
Developers use File Picker to create an interface for their web applications (and websites) that can select, download, save, or share files from OneDrive. Users hoping to access a file must grant permission for the app to access OneDrive.
The language for the permission request is misleading and vague. Users could easily assume that they are granting access to one file, while unknowingly allowing access to their entire OneDrive.
Once access is granted, File Picker can read the entire OneDrive in an upload scenario and write to the entire OneDrive in a download scenario. Access may even persist after the original data exchange has been closed out.
What You Can Do About It
Organizations and individuals should take action to protect against the risks revealed by Oasis Research’s report. The key is to be aware of what exposure means and to weigh your options accordingly.
Broad permissions could be leveraged to obtain complete read access to OneDrive that could persist for a long duration. The hacked OneDrive may contain sensitive personal information, corporate IP, HIPAA protected data, and more. If OAuth tokens are also hijacked, the malicious actors could leverage them to make API requests impersonating the user.
To mitigate your risk, start by reviewing what third-party access has been granted to your accounts. Be aware that some websites also use OneDrive File Picker.
Until Microsoft provides a secure alternative to File Picker, it may be prudent to temporarily remove the option to upload files using OneDrive through OAuth. If that’s not possible, Oasis Research has provided the following recommendations:
- “Avoid using Refresh Tokens
- Do not request the ‘offline access’ scope.
- Remove any code or storage logic related to keeping and using Refresh Tokens.
- If any Refresh Tokens are currently stored, dispose of them in a secure manner.
- Store your Access Tokens in a secure manner and dispose of them when no longer needed.
- Review the code that handles Access Tokens to ensure they are not exposed to third parties (e.g., by being stored in session or local storage).”
OneDrive: A Repeat Target
Microsoft’s trustworthiness and universality make its products a likely tool in hackers’ toolkits. You simply can’t be so ubiquitous without being leveraged for ill intent. Fortunately, security researchers are always testing Microsoft’s systems and reporting whatever they may find.
North Korean hackers Kimsuky group have made OneDrive a linchpin of the sophisticated spearphishing campaigns they’ve launched over the last few years. Carefully crafted emails–not the normal phishing junk that is easily detected–arrive at government organizations, research centers, and think tanks. They fool even the brightest minds doing some of the most important work in the world to click on OneDrive links that connect to documents filled with malicious macros.
Researchers at Eye Security have investigated other potential OneDrive vulnerabilities, noting that “sync misuse” when coupled with another known tactic (replacing .lnk files) could allow a bad actor to move from accessing a compromised account to accessing a compromised host.
Yet another researcher used OneDrive to gain initial access and then utilize legitimate programs to remotely execute malicious activities.
Prepared Not Scared
OneDrive and other Microsoft products are likely deeply embedded in your tech stack already. If that’s true, then it’s important to understand both the strengths and vulnerabilities of the products. No platform is 100% safe, but awareness is a powerful defense.
We share information about potential vulnerabilities to help you prepare, not panic. Follow the recommended security guidelines, review your app permissions, and stay updated with the latest threat intelligence. The OneDrive File Picker flaw is serious, but with the right precautions, you can minimize your exposure and stay secure.
If your business needs help identifying everyday threats and developing security awareness training, reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
