Security Flaw in Microsoft's OneDrive File Picker

Background

Security researchers have discovered a security flaw in the Microsoft OneDrive File Picker, which may allow third-party applications to gain full access to a user’s OneDrive storage, even when a user intends to upload a single file only.

Impact

Successful exploitation of the security flaw could allow a third-party application to gain unauthorised access to a user's entire cloud storage content, enabling the app to read, modify, or delete content without the user’s explicit intention, resulting in data loss and violation of compliance regulations.

Affected Products

The security flaw affects any application that uses the Microsoft OneDrive File Picker to request access via OAuth, including Microsoft 365 OneDrive Personal and Business accounts and applications that request OneDrive access via OAuth consent flows.

Mitigation

Users and administrators of the affected products are advised to review and revoke access for unnecessary or untrusted third-party applications. Organisations should also restrict OAuth app consent settings in Azure Active Directory, enable admin approval workflows, and monitor for any unusual OneDrive activity. Users should exercise caution when authorising apps that request for OneDrive access.

References:

https://thehackernews.com/2025/05/microsoft-onedrive-file-picker-flaw.html

https://learn.microsoft.com/en-us/onedrive/developer/controls/file-pickers/?view=odsp-graph-online