29-05-2025
Microsoft OneDrive Mistake—Check Now If All Your Files Have Been Shared
Check your settings now.
A new security report warns that millions of users have likely provided 'ChatGPT and other web apps full read access to [their] entire OneDrive" without realizing. Given how easy a mistake this is to make, users are urged to check their settings immediately.
The team at Oasis Security estimates 'that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp — meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.'
The flaw stems from the way in which OneDrive's File Picker works. When users think they're sharing a single file, they're likely sharing everything. 'The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive.'
Oasis Security says they have advised Microsoft and others of the issue, but there have been no changes and so the onus is on users to check their settings. 'While users are prompted to provide consent before completing an upload, the prompt's vague and unclear language does not communicate the level of access being granted."
Most of the likely file sharing is accidental, but this flaw also 'makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.' And now the flaw has been publicly highlighted, it's an invitation for abuse.
Oasis Security warns that the lack of 'fine-grained OAuth scope' combined with the vague prompt presented to users 'is a dangerous combination that puts both personal and enterprise users at risk.' The mitigation is as follows:
For enterprises, mitigation is different:
I have reached out to Microsoft for any comments on the new report and advice for OneDrive users. The full report into this security flaw is here.
Black Duck's Jamie Boote warns 'many people forget how vital the data in their OneDrive folders often are – scanned documents that end up in the 'My Pictures' or 'My Documents' folders may hold the key to one's credit identity and profile. Whenever an app asks if you trust it, you're trusting it with your most precious data.'
