A newly-discovered security flaw in OneDrive's File Picker feature exposes users' entire OneDrive content to third-party applications like ChatGPT. Researchers from Oasis Security identified that this vulnerability allows apps to access full content rather than specific files intended for upload, affecting hundreds of applications and millions of users. The study raises alarms about potential data leaks and compliance violations, criticizing the vague consent prompts users receive about permissions. The latest version of the File Picker also handles authentication insecurely, heightening the risk of unauthorized access.
The official OneDrive File Picker implementation requests read access to the entire drive - even when uploading just a single file - due to the lack of fine-grained OAuth scopes for OneDrive.
While users are prompted to provide consent before completing an upload, the prompt's vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks.
Collection
[
|
...
]