“OneDrive File Picker Flaw Exposes Full Drive Access: Millions of Users at Risk”
- Tony Fortunato
- Jun 2
- 1 min read
Oasis Security's research team has uncovered a critical vulnerability in Microsoft's OneDrive File Picker, revealing that applications integrating this feature—such as ChatGPT, Slack, Trello, and ClickUp—may inadvertently gain read access to a user's entire OneDrive, rather than just the files explicitly selected for sharing. This flaw stems from the File Picker's use of overly broad OAuth permissions, compounded by vague consent prompts that fail to clearly inform users of the extent of access being granted. As a result, millions of users may have unknowingly exposed sensitive data, posing significant risks including data breaches and compliance violations.
Upon identifying the issue, Oasis promptly reported it to Microsoft and notified affected third-party vendors. In response, Microsoft is evaluating enhancements to the File Picker, aiming to implement more precise permission scopes that align with the specific files users intend to share. This incident underscores the necessity for developers to critically assess the permissions their applications request and for users to remain vigilant about the access they grant to third-party services.(SC Media)
For a detailed analysis of the vulnerability and recommended mitigation strategies, refer to the full report by Oasis Security.
Comments