Microsoft OneDrive File Picker Flaw Grants Apps Full Cloud Access — Even When Uploading Just One File

By /

Listen to this Post

Featured Image
A critical security flaw in Microsoft’s OneDrive File Picker allows third-party apps to gain full access to users’ cloud storage, even when only requesting to upload a single file. This vulnerability stems from overly broad OAuth scopes, misleading consent screens, and insecure token storage, putting sensitive data at risk.

Affected apps include:

  • ChatGPT
  • Slack
  • Trello
  • ClickUp

Microsoft has acknowledged the issue but has not yet released a fix. Security experts recommend revoking OneDrive OAuth upload permissions until a secure solution is available.

🔗 Reference: The Hacker News

You Should Know:

  1. Check Your Enterprise Exposure Using Microsoft Defender App Governance
    To identify if your organization is affected, use the following KQL (Kusto Query Language) query in Microsoft Defender: 
AppGovernanceActivity 
| where PermissionGranted has_any ("Files.ReadWrite.All", "Sites.ReadWrite.All", "AllSites.Write", "MyFiles.Write") 
| project AppName, UserId, PermissionGranted, Timestamp

2. Revoke Suspicious OAuth Permissions (PowerShell Command)

Use Microsoft Graph PowerShell to audit and remove excessive permissions:

Connect-MgGraph -Scopes "Application.Read.All", "DelegatedPermissionGrant.ReadWrite.All" 
Get-MgOauth2PermissionGrant | Where-Object { $_.Scope -match "Files.ReadWrite.All|Sites.ReadWrite.All" } | Remove-MgOauth2PermissionGrant
  1. Secure OneDrive Access via Conditional Access (Azure AD)

Enforce MFA and device compliance for OneDrive access:

New-MgIdentityConditionalAccessPolicy -DisplayName "Block Risky OneDrive Access" -State "enabled" -Conditions @{ 
Applications = @{ IncludeApplications = "https://graph.microsoft.com" } 
Users = @{ IncludeUsers = "All" } 
} -GrantControls @{ 
Operator = "OR" 
BuiltInControls = @("mfa", "compliantDevice") 
}
  1. Monitor Suspicious OneDrive Activity (Microsoft Sentinel Query)

Detect abnormal file access patterns:

OfficeActivity 
| where Operation == "FileAccessed" 
| where UserId != "[email protected]" 
| where RecordType == "OneDrive" 
| summarize Count=count() by UserId, FileName 
| where Count > 100
  1. Linux/Mac Alternative: Use `rclone` for Secure Cloud Sync

If avoiding OneDrive, sync files securely via:

rclone config  Set up encrypted cloud storage 
rclone copy ~/Documents remote:OneDriveBackup --progress --checksum

What Undercode Say:

This flaw highlights the dangers of overprivileged OAuth apps and poor consent screen transparency. Enterprises must:
– Audit OAuth grants regularly.
– Enforce least privilege in cloud permissions.
– Monitor token usage for anomalies.
– Migrate to zero-trust models where possible.

🔹 Prediction: Microsoft will likely enforce granular OAuth scopes and mandatory admin consent for high-risk permissions in future updates.

Expected Output:

✅ KQL queries for Defender monitoring.

✅ PowerShell commands to revoke risky permissions.

✅ Azure AD Conditional Access policies.

✅ Linux `rclone` as a secure alternative.

✅ Microsoft Sentinel detections for abnormal access.

Stay vigilant and restrict OneDrive OAuth access until Microsoft patches this flaw. 🚨

IT/Security Reporter URL:

Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: