OneDrive Security Risk Exposes Your Entire Cloud Storage
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.
OneDrive Flaw Uncovered Potential Full Drive Access
A recently identified security flaw in Microsoft OneDrive's file-share function may have inadvertently granted third-party services access to your entire cloud backup, rather than just the single file you intended to share.
How Vague Permissions Expose Your Data
Security firm Oasis Security highlights in a report that ambiguous language within OneDrive's File Picker feature misleads users into believing they are authorizing access to only one file. In reality, this could mean millions have unintentionally shared access to their entire OneDrive accounts across numerous services, some of which might retain this broad access.
Popular services implicated include ChatGPT, Slack, Trello, Zoom, and potentially hundreds more. Given that OneDrive often stores a wide array of personal and sensitive data from users' Microsoft accounts—such as PDF documents, photos, and other private files—this flaw could have led to significant data exposure.
"The official OneDrive File Picker implementation requests read access to the entire drive—even when uploading just a single file—due to the lack of fine-grained OAuth scopes for OneDrive,” Oasis Security explains. "While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks."
To illustrate, Oasis Security described the permission process with ChatGPT. The prompt states, "ChatGPT will be able to open OneDrive files, including files shared by you." Many users might interpret this as access limited to explicitly shared files. However, this wording actually grants the application access to the user's entire cloud backup.
Microsoft's Response and Awaited Fix
Oasis Security proactively informed Microsoft and the applications connecting with OneDrive about this vulnerability prior to public disclosure. In response, Microsoft has acknowledged the issue and stated it is considering a fix. However, a definitive timeline for the implementation of this solution has not yet been provided. We (PCMag, the original source) have reached out to Microsoft for further comment.
How to Secure Your OneDrive Data and Revoke Permissions
It is crucial to review and manage the permissions granted to third-party applications to ensure your private or confidential documents are not unnecessarily exposed.
To secure your data, follow these steps:
- Go to your Microsoft account settings.
- Navigate to the Privacy section, typically found in the left-hand menu.
- Look for an option labeled App Access (or similar, such as "Apps and services you've given access"). This will display a list of applications that have been granted permission to access your account data.
On this page, you can examine the specific permissions granted to each application. If you find a service whose access you wish to revoke or limit:
- Click on the service to see details.
- Select the option to Stop Sharing or Remove these permissions.
Be aware that it may take up to an hour for these changes to fully take effect. Regularly reviewing these permissions is a good practice to maintain control over your data.
