OneDrive File Picker Bug Lets Apps See All Your Files
Many apps today let you upload files directly from cloud services like Microsoft OneDrive. This makes sharing documents fast and easy. But a new OneDrive File Picker bug shows that this convenience could come with a serious risk.
What’s the Problem?
A bug in Microsoft’s OneDrive File Picker may let apps see all your files—even if you only choose one file to upload. This happens because the tool asks for permission to access your full OneDrive, not just the selected file.
The worst part? The screen that asks for your permission doesn’t clearly explain what the app can do. You might think you’re only giving access to one file, but you’re actually letting the app see everything in your OneDrive.
Why This Is Dangerous
This bug affects many popular services that use Microsoft’s cloud tools, like:
- ChatGPT
- Slack
- Trello
- ClickUp
Some apps store your login tokens (the keys to your account) in unsafe ways, such as in plain text in your browser. If someone gets that token, they could get into your OneDrive without your password.
What You Can Do
Until Microsoft fixes this issue, here are a few things you can do:
- Avoid using OneDrive to upload files in apps you don’t fully trust
- Don’t allow long-term access (called “refresh tokens”)
- Clear tokens after each session
- Store login tokens securely if you’re building an app
Final Thoughts
This OneDrive File Picker bug is a reminder that even big platforms can have hidden risks. Always double-check the permissions you give and stay updated on security news.
Read the full article from The Hacker News to learn more.
