CybersecurityHacking

Microsoft 365 Android Apps Expose Account Tokens Due to Debug Flag Oversight

Analyst 207||Source: TheHackerNews
Smartphone on a neutral surface with a blurred mobile app interface and a hint of a cityscape through a nearby window.

"setIsDebugMode(true)," Enclave's Yanir Tsarimi and Ofek Levin found — a single line of code that turned a convenience into a wide-open door.

FlagLeft: the leftover debug flag that skipped security checks

Researchers at Enclave identified a development flag, dubbed FlagLeft, left enabled in production builds of multiple Microsoft 365 Android apps. That one line — setIsDebugMode(true) — disabled a check intended to limit account-token sharing to trusted Microsoft applications. Because the check was skipped, any other app on the same phone could request a signed-in user's token and receive it without prompting the user: no password, no login screen, no permission prompt.

Which Microsoft 365 apps were affected and which CVEs followed

Enclave reported the flaw in six Microsoft apps: Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote — apps the source says have "billions of downloads between them." Teams shipped with the same flag set to false and was not affected; Enclave interprets that as a slip rather than intentional design.

Microsoft issued four CVEs on May 12, all classed as spoofing under improper access control (CWE-284):

  • CVE-2026-41100 — Microsoft 365 Copilot (CVSS 4.4)
  • CVE-2026-41101 — Word (CVSS 7.1)
  • CVE-2026-41102 — PowerPoint (CVSS 7.1)
  • CVE-2026-42832 — Excel (CVSS 7.7)

The four CVEs cover Copilot, Word, PowerPoint, and Excel; Enclave also reported the same flaw in Loop and OneNote, though neither received a separate CVE in the May batch. The National Vulnerability Database (NVD) lists the patched Word build for Android as 16.0.19822.20190, with earlier versions affected; the other apps were fixed through the same Google Play updates.

How an on-device app could hijack FOCI tokens and act as the user

The tokens being handed over were FOCI tokens — family refresh tokens Microsoft uses for single sign-on across its apps. These refresh tokens can be refreshed and reused over long stretches, and the resulting network traffic looks routine in logs; from a user's point of view, nothing visible happens.

With a stolen FOCI token, an untrusted app could read email, open files, browse the calendar, and send messages as the signed-in user. Enclave built a working proof of concept that pulled tokens through an unverified third-party app and used them to read email. Microsoft classifies these as local spoofing flaws — in plain terms, a malicious app already on the device is all it takes.

What Microsoft patched, and why patching alone may not be enough

Microsoft released fixes through Google Play updates that close the flag-based bypass. Nothing in Microsoft's May Patch Tuesday release was listed as publicly known or exploited, and the source states there is no public evidence the flaw was used before the fix.

However, the patch does not retroactively invalidate tokens an attacker may already have obtained. Because FOCI refresh tokens outlive an app update, accounts on devices that ran an old build alongside untrusted apps could still be compromised until refresh tokens are revoked and affected users perform a fresh sign-in. The source explicitly recommends revoking refresh tokens in such cases.

What this means for Android fleet managers, security teams, and end users

  • Android fleet managers and security teams: Push the updated builds through mobile device management (MDM) and confirm devices are not running builds earlier than 16.0.19822.20190 for Word and equivalent updated builds for the other apps. The source advises confirming devices are off earlier builds.
  • End users: Update Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote from Google Play to receive the fix. The source's clear instruction is to update those apps.
  • Administrators and account owners with devices that ran older builds: Consider revoking refresh tokens and forcing fresh sign‑ins for accounts on devices that ran an affected build alongside untrusted apps, because the patch does not revoke already-issued FOCI tokens.

The hole was small — a single debug flag — and wide in its practical reach because it lived in a shared Microsoft SDK and therefore repeated across multiple apps. Microsoft has closed the code path; organizations and users must close the session tokens that may still be at risk. For administrators, that means updating devices via MDM and, when warranted, revoking refresh tokens; for individuals, it means updating apps from Google Play and, if suspicious activity is suspected, signing out and back in manually.

Original story: https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html

AndroidEmerging ThreatsMicrosoft 365Mobile SecurityVulnerability DisclosureMfa BypassSupply Chain VulnerabilityDebug FlagAccount Token Exposure
Related Intelligence

Continue Reading

Circuit board on a lab bench with blurred technical instruments in the background.

Autonomous AI Tool Exposes 2-Year-Old Redis RCE Flaw

A 2-year-old vulnerability in Redis, tracked as CVE-2026-23479, went undetected until a cutting-edge autonomous AI tool uncovered it, revealing a critical remote code execution flaw that had been hiding in plain sight. This shocking discovery highlights the power of AI in uncovering even the most elusive security threats.

Analyst 207
Researcher examines radio frequency demonstration setup in laboratory.

Researchers Expose Vulnerability in Anti-Jamming Tech

Researchers have uncovered a shocking weakness in anti-jamming technology, revealing that curved radio beams can outsmart even the most advanced direction-finding defenses. In lab tests, this vulnerability led to disastrous errors, leaving traditional safeguards useless.

Analyst 207
Modern IT operations area with computers, servers, and networking equipment in a clean and organized setup.

Vulnerability Patching Lag Exposes 91% of Organizations to Known Threats

The alarming truth is that 91% of organizations are leaving themselves exposed to known threats due to a vulnerability patching lag, with only 9% able to remediate high-severity flaws within a critical 24-hour window. This delay is not just a statistic - it's a recipe for disaster, with organizations that patch more slowly facing significantly higher breach rates.

Analyst 207
Person sitting at laptop in modern workspace with code on nearby monitor.

Bug Hunter Exposes Microsoft VS Code Flaw in Protest of Disclosure Handling

A bug hunter's frustrating experience with Microsoft's disclosure process sparked a protest, as Ammar Askar publicly exposed a VS Code flaw that could allow attackers to steal OAuth tokens and access GitHub repositories. Askar's proof-of-concept exploit highlights the vulnerability, which was previously mishandled by Microsoft's security response team.

Analyst 207