*Microsoft OneDrive File Picker Security Flaw Discovered* A security flaw has been discovered in Microsoft's OneDrive File Picker that could allow websites to access a user's entire cloud storage content, even if only a single file is selected for upload. This vulnerability stems from overly broad OAuth scopes and misleading consent screens. *The Issue:* - The OneDrive File Picker requests read access to the entire drive, even for single file uploads. - The consent prompt is vague and doesn't clearly explain the level of access being granted. - OAuth tokens are often stored insecurely, and refresh tokens can grant ongoing access to user data. *Impacted Apps:* - ChatGPT - Slack - Trello - ClickUp *Microsoft's Response:* - Microsoft has acknowledged the problem but hasn't released a fix yet. - Users are advised to consider temporarily removing the option to upload files using OneDrive through OAuth until a secure alternative is in place. *Recommendations:* - Avoid using refresh tokens. - Store access tokens securely. - Get rid of tokens when no longer needed. *Conclusion:* This security flaw highlights the importance of continuous vigilance in OAuth scope management and regular security assessments to protect user data.