OneDrive File Picker Flaw Provides Apps Full Read Access Entire OneDrive

It's hard to believe that the OneDrive File Picker still doesn't have fine grained OAuth scopes in 2025. Allowing read access to the whole drive just to upload one file goes against the principle of least privilege.

hulitu · 3 months ago

> It's hard to believe that the OneDrive File Picker still doesn't have fine grained OAuth scopes in 2025

We are talking about Microsoft here. Me gets a new laptop, company allows SW instalation only from an internal portal, i don't find Teams there, i ask a colleague how does one one install Teams: IT said to download it from microsoft.com. ROTFL. Of course it does not need "elevated priviledges" to install. Of course it is installed for every account on the computer and has access to all user files. But some people still _believe_ the (first appeared in Win95) "most secure Windows ever" lie.

pawanjswal · 3 months ago

mchenier · 3 months ago

One way to avoid this problem and considerably reduce the attack surface is to: 1- Create a dummy Onedrive account. 2- Share a folder on your main Onedrive to the dummy account. 3- In the dummy account, maps the shared link to a folder for easier access as if it was a normal folder. (May not be required for some apps). 4- Only lets third party apps access the dummy Onedrive account with its single folder.

This doesn’t give access to your main Onedrive account to any apps, just the files and folders under the shared folder you have shared with the dummy account.

ThePowerOfFuet · 3 months ago

To summarize: "Avoid OneDrive."

Deleted Comment

type0 · 3 months ago

> In response, Microsoft is considering future improvements

Who knows, maybe it works as intended, that's MS Windows in a nutshell

They did rounded the buttons in Office 365 some months ago. /s