Potential vulnerability in OneDrive's File Picker feature might offer unauthorized access to approximately 300 linked applications.
A recent security vulnerability in Microsoft's OneDrive File Picker could potentially expose users' entire OneDrive content to third-party web applications, such as ChatGPT.
The flaw, discovered by Oasis Security, allows websites to gain access to a user's entire OneDrive content, rather than just the files selected for upload via the File Picker feature. Preliminary findings suggest that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp- potentially placing millions of users at risk.
According to researchers, this issue could lead to significant consequences, including data leakage and regulatory breaches. The concern arises due to OneDrive File Picker's practice of requesting full drive access even when uploading a single file, without clearly communicating the extent of the granted access to users.
Researchers warned that it is impossible for users to discern between malicious apps and legitimate ones due to a lack of secure alternatives. Notably, OpenAI, the developer of ChatGPT, uses the latest version of OneDrive File Picker (8.0), potentially granting full read access to users' OneDrive content.
To secure OneDrive content, organizations are advised to review the permissions granted to each app in the Entra Admin Center, particularly for web apps. In some cases, it may be prudent to temporarily remove the option to upload files using OneDrive through OAuth until Microsoft provides a secure alternative.
Individuals are urged to be vigilant about their OneDrive content, as sensitive information such as bank records, medical records, and personal photos could unintentionally be synced and stored in their OneDrive folders. When granting app permissions, it's crucial to consider the most precious data at stake.
Microsoft has been made aware of the issue and is reportedly considering tighter alignment between the functions of OneDrive File Picker and the access it requires. Users are encouraged to regularly review and revoke unnecessary app permissions, use alternative file-sharing methods when possible, and enable two-factor authentication on their Microsoft accounts for added security.
Cybersecurity measures need to be strengthened to address the compliance issues arising from the data-and-cloud-computing vulnerability in Microsoft's OneDrive File Picker, which potentially exposes users' sensitive data to third-party web applications, including ChatGPT. With the risk of data leakage and regulatory breaches, it is essential for organizations to review permissions granted to each app in the Entra Admin Center and consider temporarily removing the option to upload files using OneDrive through OAuth until a secure alternative is provided.
