OneDrive File Picker Flaw Gives Apps Full Access to User Drives

A recent investigation by cybersecurity researchers at Oasis Security has revealed a data overreach in how Microsoft’s OneDrive File Picker handles permissions, opening the door for hundreds of popular web applications, including ChatGPT, Slack, Trello, and ClickUp, to access far more user data than most people realize.

According to the report, the problem comes from how the OneDrive File Picker requests OAuth permissions. Instead of limiting access to just the files a user selects for upload or download, the system grants connected applications broad read or write permissions across the user’s entire OneDrive. This means that when you click to upload a single file, the app may be able to see or modify everything in your cloud storage and maintain that access for extended periods.

A Hidden Access Problem

OAuth is the widely used industry standard that allows apps to request access to user data on another platform ...