A OneDrive Security Flaw Might Share Everything in Your Cloud With Third-Party Services

Many people keep their important information stored in the cloud using programs like Microsoft OneDrive. This can deliver peace of mind and ensure you can access your files wherever you are. However, a recently discovered security flaw in Microsoft’s file-share function may be giving third-party services access to their entire cloud backup instead of a single selected file.

Oasis Security says vague language in OneDrive’s File Picker feature suggests people are only sharing access to one file. However, millions might have shared access to entire accounts across multiple services, and some of those services may still have access to files.

Supported services include ChatGPT, Slack, Trello, Zoom, and hundreds more. OneDrive, meanwhile, houses files from users’ Microsoft accounts, so this issue may have exposed data such as PDF documents or photographs alongside other files.

“The official OneDrive File Picker implementation requests read access to the entire drive—even when uploading just a single file—due to the lack of fine-grained OAuth scopes for OneDrive,” Oasis Security says. “While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks.”

Oasis explained how permissions work using ChatGPT. The request reads, “ChatGPT will be able to open OneDrive files, including files shared by you.” For many users, this may suggest it only has access to the exact files shared, but it gives the app access to your entire cloud backup.

The permissions given to ChatGPT when connecting with OneDrive. (Credit: James Peckham)

Oasis Security told Microsoft (and the apps that connect with OneDrive) about the flaw before sharing it, but Redmond has said that a fix isn’t a priority for the company.

A spokesperson for Microsoft told PCMag, “We appreciate the partnership with Oasis Security in responsibly disclosing this issue. This technique does not meet our bar for immediate servicing as a user must provide consent to the application before any access is allowed. We will consider improvements to the experience in a future release.”

How to Secure Your Data, Revoke Permissions on OneDrive

(Credit: PCMag/Microsoft)

You may want to ensure your information is locked down so these services can’t access private or confidential docs. To do that, go to your Microsoft account and head to Privacy in the left-hand corner. Here you’ll find an option called App Access, which will display a list of applications you’ve given permission to access your account.

(Credit: PCMag/Microsoft)

Here, you can see which individual permissions you’ve given each application. If you want to remove a service, click Stop Sharing. This may take up to an hour to take effect.

Get Our Best Stories!

Your Daily Dose of Our Top Tech News

Sign up for our What’s New Now newsletter to receive the latest news, best new products, and expert advice from the editors of PCMag.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About James Peckham

Reporter

I’ve written tech news for over a decade, and as a Reporter at PCMag, I cover the latest developments across the gadgets and services you use every day. Previously, I worked for Android Police, TechRadar, and more.

Read James’s full bio

Read the latest from James Peckham