A significant security vulnerability has been identified in Microsoft’s OneDrive File Picker, potentially exposing users’ entire cloud storage to malicious websites. This flaw, detailed in an article by Ravie Lakshmanan on The Hacker News, highlights how seemingly innocuous file uploads could grant unintended broad access to your personal cloud data.

The core of the issue lies in the overly permissive OAuth scopes and deceptive consent screens within the OneDrive File Picker. When users attempt to upload a single file, the consent prompt fails to adequately convey that by proceeding, they might be granting access to their entire cloud storage, rather than just the selected file. This misrepresentation could lead to a severe privacy breach, allowing attackers to access all user files stored on OneDrive.

Several popular applications, including ChatGPT, Slack, Trello, and ClickUp, are reportedly affected by this vulnerability due to their integration with Microsoft’s cloud services. While Microsoft has acknowledged the existence of this critical flaw, a definitive fix has yet to be implemented. Users are advised to exercise caution and review the permissions requested by applications when integrating with cloud storage services.

For more details on this vulnerability, you can refer to the original article on The Hacker News.