Critical Flaw Found in OneDrive File Picker Puts User Data at Risk

A significant security vulnerability has been discovered in a widely used cloud storage tool, potentially allowing unauthorized access to user files. The flaw centers on a file picker feature that, when used by third-party applications, may inadvertently grant access to the user’s entire cloud drive—even if access was intended for only a single file.

The core of the issue lies in how permissions are requested. Instead of fine-tuned access controls, the system uses broad permission scopes, paired with vague user prompts. This creates a situation where users might unknowingly authorize far more access than intended.

Adding to the risk, authorization tokens—used to confirm access—can be stored insecurely in the browser, often in plain text. In many cases, refresh tokens are also issued, giving applications persistent access without the need for repeated user approval.

Though the vulnerability has been acknowledged by the platform provider, no fix has yet been released. As a precaution, users are advised to disable cloud file uploads via this method where possible, avoid persistent tokens, and ensure secure handling and timely disposal of access tokens.

This issue highlights the ongoing need for strict access controls, clear user consent processes, and proactive security assessments in any application that handles sensitive data.