Microsoft OneDrive Mistake—Check Now If All Your Files Have Been Shared
Check your settings now.
A new security report warns that millions of users have likely provided 'ChatGPT and other web apps full read access to [their] entire OneDrive" without realizing. Given how easy a mistake this is to make, users are urged to check their settings immediately.
The team at Oasis Security estimates 'that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp — meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.'
The flaw stems from the way in which OneDrive's File Picker works. When users think they're sharing a single file, they're likely sharing everything. 'The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive.'
Oasis Security says they have advised Microsoft and others of the issue, but there have been no changes and so the onus is on users to check their settings. 'While users are prompted to provide consent before completing an upload, the prompt's vague and unclear language does not communicate the level of access being granted."
Most of the likely file sharing is accidental, but this flaw also 'makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.' And now the flaw has been publicly highlighted, it's an invitation for abuse.
Oasis Security warns that the lack of 'fine-grained OAuth scope' combined with the vague prompt presented to users 'is a dangerous combination that puts both personal and enterprise users at risk.' The mitigation is as follows:
For enterprises, mitigation is different:
I have reached out to Microsoft for any comments on the new report and advice for OneDrive users. The full report into this security flaw is here.
Black Duck's Jamie Boote warns 'many people forget how vital the data in their OneDrive folders often are – scanned documents that end up in the 'My Pictures' or 'My Documents' folders may hold the key to one's credit identity and profile. Whenever an app asks if you trust it, you're trusting it with your most precious data.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Washington Post
17 minutes ago
- Washington Post
Disney laying off several hundred employees worldwide
The Walt Disney Co. is laying off several hundred employees worldwide as the entertainment giant looks to trim some costs and adapt to evolving industry conditions. A Disney spokesperson confirmed the action on Tuesday. The exact number of jobs being cut is unknown, but layoffs will occur across several divisions, including television and film marketing, TV publicity, casting and development, and corporate financial operations.
New York Post
24 minutes ago
- New York Post
AI recruiting is all the rage — as employers hand the screening of new hires over to robots: ‘Seemed insane'
It's the rise of the robo-recruiters. Employers are turning to artificial intelligence to screen potential new human hires. AI recruiting software is increasingly subbing in for actual people during preliminary interviews — with a fake person quizzing candidates and inquiring about their skills, before delivering their findings to managers. Replacing recruiters with AI technology to screen new hires is becoming popular with employers. Jacob Lund – 'A year ago this idea seemed insane,' Arsham Ghahramani, co-founder and chief executive officer of Toronto-based AI recruiting startup Ribbon, told Bloomberg. 'Now it's quite normalized.' Companies say the goal is to ultimately make the interview process more efficient and accessible for candidates — without needing human recruiters to be online all day. For employers, particularly those hiring at high volume, the switch can save hundreds of hours of manpower per week. For others who've seen a dramatic rise in candidates employing AI to answer interview questions, they're simply meeting the market where it's at. Canadian nonprofit Propel Impact, a social impact investing organization, said the rise of the use of ChatGPT for application materials had become widespread. 'They were all the same,' Cheralyn Chok, Propel's co-founder and executive director, told Bloomberg. 'Same syntax, same patterns.' Recruiters at companies hiring at high volumes can spend hundreds of hours a week screening candidates. Atstock Productions – The shift comes as a majority of Americans polled last year by Consumer Reports said that they were uncomfortable with the use of AI in high-stakes decisions about their lives. The implementation of using AI to interact with job candidates on screen has been in the works for years at this point, according to Bloomberg. 'The first year ChatGPT came out, recruiters weren't really down for this,' HeyMilo CEO Sabashan Ragavan said. 'But the technology has gotten a lot better as time has gone on.' But with all things tech, it's not always 100% glitch-free. Some TikTok users have posted their experiences with AI recruiters, with one in particular going viral when her interviewer at a Stretch Lab in Ohio malfunctioned and repeated the phrase 'vertical bar pilates' 14 times in 25 seconds. 'I thought it was really creepy and I was freaked out,' she told 404 Media in a recent interview about the AI interviewer, powered by startup Apriora. 'I didn't find it funny at all until I had posted it on TikTok, and the comments made me feel better.' Aaron Wang, Apriora's co-founder and CEO, claimed that the error was due to the model misreading the term 'Pilates,' Bloomberg reported. 'We're not going to get it right every single time,' he said. 'The incident rate is well under 0.001%.'
Bloomberg
29 minutes ago
- Bloomberg
Kuwait Wealth Fund Joins Microsoft-Backed $30 Billion AI Venture
Kuwait's sovereign wealth fund is joining a Microsoft Corp.-backed initiative to bankroll $30 billion in artificial intelligence infrastructure globally, as the oil-rich Gulf nation looks to tap into the booming sector. The Kuwait Investment Authority will become the first non-founder financial anchor in the AI Infrastructure Partnership, according to a statement on Tuesday that didn't disclose any financial commitment. Microsoft, Abu Dhabi's MGX and BlackRock Inc. had in March added Elon Musk's xAI and chipmaker Nvidia Corp. to the initiative.
