Microsoft OneDrive Mistake—Check Now If All Your Files Have Been Shared

A new security report warns that millions of users have likely provided “ChatGPT and other web apps full read access to [their] entire OneDrive” without realizing. Given how easy a mistake this is to make, users are urged to check their settings immediately.

The team at Oasis Security estimates “that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp — meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.”

ForbesSamsung’s Galaxy ‘Kill Switch’ Completely Changes Your PhoneBy Zak Doffman

The flaw stems from the way in which OneDrive’s File Picker works. When users think they’re sharing a single file, they’re likely sharing everything. “The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive.”

Oasis Security says they have advised Microsoft and others of the issue, but there have been no changes and so the onus is on users to check their settings. “While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted.”

Most of the likely file sharing is accidental, but this flaw also “makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.” And now the flaw has been publicly highlighted, it’s an invitation for abuse.

Oasis Security warns that the lack of “fine-grained OAuth scope” combined with the vague prompt presented to users “is a dangerous combination that puts both personal and enterprise users at risk.” The mitigation is as follows:

• “Log in to your Microsoft Account.
• In the left or top pane, click on ‘Privacy’.
• Under ‘App Access’, select the list of apps that have access to your account.
• Review the list of apps, and for each app, click on ‘Details’ to view the specific scopes and permissions granted.”

For enterprises, mitigation is different:

• “In the Entra Admin Center, navigate to the list of enterprise applications.
• The list will display an Application ID column (Client ID) and an Object ID column (also known as the Service Principal Object ID).
• To check the permissions granted to each app, click on an application, then click on the ‘Permissions’ button in the left pane. This will list all granted scopes and you can verify whether they are delegated.”

ForbesGoogle’s New Chrome Update—Do Not Ignore June 5 DeadlineBy Zak Doffman

I have reached out to Microsoft for any comments on the new report and advice for OneDrive users. The full report into this security flaw is here.

Black Duck’s Jamie Boote warns “many people forget how vital the data in their OneDrive folders often are – scanned documents that end up in the ‘My Pictures’ or ‘My Documents’ folders may hold the key to one’s credit identity and profile. Whenever an app asks if you trust it, you’re trusting it with your most precious data.”