We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Flaw In Microsoft OneDrive Grants Access To External Apps

Flaw In Microsoft OneDrive Grants Access To External Apps
Author Image Andrea Miliani
Andrea Miliani First published on June 07, 2025 Cybersecurity Researcher

Researchers at Oasis Security revealed last week that a flaw in Microsoft’s OneDrive File Picker was allowing external apps, such as Zoom, ChatGPT, Trello, Slack, and ClickUp, access to users’ content. The experts warn that millions of users could be affected, with potential risks of data leakage and compliance regulations violations.

According to the report, published on May 28 and titled ChatGPT & other web apps may have full read access to your entire OneDrive, external apps were able to access users’ entire document collections during uploads, rather than being limited to specific files.

“This issue arises from the lack of fine-grained OAuth scope for OneDrive, which causes the official OneDrive File Picker implementation to request read access to the entire drive — even when uploading just a single file,” states the document.

The cybersecurity firm reached out to Microsoft and relevant app vendors before publicly disclosing the vulnerability. Microsoft responded it would consider the research for future improvements.

The research team also explained that when users granted broad OAuth access, the linked applications could also modify the cloud storage and remain connected for extended periods of time.

OneDrive File Picker’s permissions included support for third-party file uploads and downloads, allowing external websites to read and write the entire OneDrive account, considered by Oasis as “a case of excessive permissions.”

“This isn’t just a privacy concern, it’s a potential security gap affecting millions of users and potentially exposing sensitive personal and professional information,” wrote the cybersecurity company on its website. “This happens because of how Microsoft’s OneDrive File Picker works: it requests broad permissions that stay active for up to an hour, or longer if refresh tokens are used.”

Oasis recommends that users review which apps have access to their OneDrive accounts and revoke all suspicious permissions. The research team also encouraged spreading awareness and being cautious when uploading content to unfamiliar websites.

A few days ago, malicious actors exploited a vulnerability in Google’s OAuth system, successfully sending phishing emails that appeared authentic through a DKIM replay attack.

About the Author

Andrea is a seasoned tech journalist with a growing passion for cybersecurity, covering cyberattacks, AI breakthroughs, and the latest trends shaping the future of technology.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address