This OneDrive Flaw Might Share Your Entire Drive With ChatGPT ...
A recently identified security flaw in Microsoft OneDrive's file-share function may have given third-party services access to your entire cloud backup rather than just one individual file. Oasis Security says vague language in OneDrive's File Picker feature suggests people are only sharing access to one file. However, millions might have shared access to entire accounts across multiple services, and some of those services may still have access to files. Supported services include ChatGPT, Slack, Trello, Zoom, and hundreds more. OneDrive, meanwhile, houses files from users' Microsoft accounts, so this issue may have exposed data such as PDF documents or photographs alongside other files.
Security Concerns
The official OneDrive File Picker implementation requests read access to the entire drive—even when uploading just a single file—due to the lack of fine-grained OAuth scopes for OneDrive. Oasis Security says, "While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks." Oasis explained how permissions work using ChatGPT. The request reads, "ChatGPT will be able to open OneDrive files, including files shared by you." For many users, this may suggest it only has access to the exact files shared, but it gives the app access to your entire cloud backup.
Microsoft's Response
Oasis Security informed Microsoft (and the apps that connect with OneDrive) about the flaw before sharing it, but Microsoft has stated that fixing the issue is not a priority for the company. A spokesperson for Microsoft told PCMag, “We appreciate the partnership with Oasis Security in responsibly disclosing this issue. This technique does not meet our bar for immediate servicing as a user must provide consent to the application before any access is allowed. We will consider improvements to the experience in a future release."
Protecting Your Data
To ensure your information is secure, go to your Microsoft account and navigate to Privacy in the left-hand corner. Here you’ll find an option called App Access, which displays a list of applications you’ve given permission to access your account. From here, you can see and manage the individual permissions you’ve granted each application. If you wish to revoke access for a specific service, simply click on Stop Sharing. Note that it may take up to an hour for this change to take effect.
