Date: 30 May 2025
A newly discovered OAuth misconfiguration in the Microsoft OneDrive File Picker integration could allow unauthorised access to entire OneDrive storage accounts. This issue affects popular third-party applications that rely on the file picker, including ChatGPT, Trello, Slack, and ClickUp.
Overview
The flaw allows attackers to exploit over-scoped OAuth tokens to gain access to full user storage without proper permissions. Users who integrate with affected apps may unknowingly expose large volumes of sensitive data.
CVE ID: Not assigned
Severity: Critical
Type: OAuth Scope Misuse
Affected Products: Any application integrating Microsoft OneDrive File Picker
Mitigation Steps
- Disable OAuth-based file uploads to OneDrive until mitigations are in place.
- Secure token storage by avoiding plaintext and session-based approaches.
- Revoke unnecessary or stale tokens and avoid long-lived refresh tokens.
- Educate end-users on secure authorisation practices and app permissions.
Summary for Security Teams
- Product: Microsoft OneDrive OAuth Integrations
- Threat Level: Critical
- Action: Disable integrations and review token policies
Reference
Need Help?
If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.
