OneDrive File Picker is a Microsoft-provided tool that lets websites and web apps integrate with a user’s OneDrive account to allow uploading, browsing, and selecting OneDrive files directly from the app.
An over-privileged OAuth trap
This broad access stems from a limitation in Microsoft’s OAuth implementation within File Picker that researchers described as “a lack of fine-grained permissions scopes.”
Jason Soroko, senior fellow at Sectigo, calls the oversight an over-privileged OAuth trap. “Microsoft’s OneDrive File Picker encourages third-party web apps to request broad files,” he said. “Once issued, those long-lived tokens are often cached in localStorage or back-end databases without any encryption, potentially allowing attackers to trawl an entire tenant’s data.”
OneDrive File Picker’s OAuth implementation requests broad scopes, instead of fine-grained, file-level scopes, allowing users and developers to restrict access to only the files explicitly selected.
