Alerts
Security Flaw in Microsoft's OneDrive File Picker
30 May 2025
Security researchers have discovered a security flaw in the Microsoft OneDrive File Picker, which may allow third-party applications to gain full access to a user’s OneDrive storage, even when a user intends to upload a single file only.
Background
Security researchers have discovered a security flaw in the Microsoft OneDrive File Picker, which may allow third-party applications to gain full access to a user’s OneDrive storage, even when a user intends to upload a single file only.
Impact
Successful exploitation of the security flaw could allow a third-party application to gain unauthorised access to a user's entire cloud storage content, enabling the app to read, modify, or delete content without the user’s explicit intention, resulting in data loss and violation of compliance regulations.
Affected Products
The security flaw affects any application that uses the Microsoft OneDrive File Picker to request access via OAuth, including Microsoft 365 OneDrive Personal and Business accounts and applications that request OneDrive access via OAuth consent flows.
Mitigation
Users and administrators of the affected products are advised to review and revoke access for unnecessary or untrusted third-party applications. Organisations should also restrict OAuth app consent settings in Azure Active Directory, enable admin approval workflows, and monitor for any unusual OneDrive activity. Users should exercise caution when authorising apps that request for OneDrive access.
References:
https://thehackernews.com/2025/05/microsoft-onedrive-file-picker-flaw.html
https://learn.microsoft.com/en-us/onedrive/developer/controls/file-pickers/?view=odsp-graph-online