Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk

Summary

Six Microsoft 365 Android apps (Word, PowerPoint, Excel, Copilot, Loop, OneNote) contained an identical vulnerability: a debug flag left enabled in production code that bypassed protections preventing unauthorized apps from accessing Microsoft account tokens. The flaw allowed any malicious app to request and receive FOCI tokens without user consent, potentially exposing billions of app installations to account compromise. Microsoft confirmed and patched the issues after Enclave disclosed the findings.

Full text

Six Microsoft 365 Android apps contain an identical flaw that could risk billions of downloads being compromised. The findings, shared exclusively with SecurityWeek ahead of the expected public release of the research on Tuesday, were uncovered by Enclave, an AI-powered exploitable bug hunter. It is nothing more than a single debug flag being left in the production code of Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote for Android. Someone left debug mode enabled in production: – set IsDebugMode(true). This was enabled across all six apps, but was not enabled in other Microsoft (MS) apps such as Teams. These were not affected by any consequent potential exploitation attempt. The effect of such debug flags varies. Sometimes the purpose is simply to affect logging or to test output. “This one changed the behavior around account access token sharing,” explains Enclave reporting its findings. “With debug mode enabled, the protection that should have blocked untrusted apps from receiving tokens was skipped.” Microsoft’s intention is to allow easy passage for its authorized customers from one MS app to another MS app on the same device, without requiring new login authorization from the Android user each time. So, the code in the apps is designed to pass access tokens to the other MS apps – but crucially, not do so for any other Android app. The effect of this debug flag omitted the restriction on non-MS apps, and the result was that Android MS access tokens were handed to any Android app that requested them. To exploit this flaw, an attacker could write code requesting MS access. It could be a separate app or code within a doctored Android app. The only requirement would be to get that app onto as many Android devices as possible. “The attacker could just write a snippet that is 15 lines of code. It just seeks access to the MS app and is given the token,” explains Yanir Tsarimi, co-founder and CPO at Enclave. “It doesn’t get any simpler than that, because it’s just a feature that is supposed to be there.”Advertisement. Scroll to continue reading. The flaw is not in handing over the access token, but in leaving a debug line that limits this handover to a request from the other MS apps installed on the Android device. “It was just a simple mistake that in this case is very painful.” One simple mistake potentially impacted apps totaling billions of downloads. Tsarimi gave a potential exploitation scenario. “Suppose you are a mobile device game developer with auto update and 10,000 users. You write the malicious exploit code seeking access to the affected MS apps and include it within an update that gets delivered to your 10,000 users. Auto update installs it. The malicious code stealthily requests access to any MS app on the user’s Android, receives the token and quietly sends it back to you.” In such a case, the victim may see nothing and be aware of nothing – but the attacker gets the token. “The owner of the app can do whatever they want with those tokens,” adds Tsarimi. “It’s essentially a supply chain attack, just from a different direction.” The user sees nothing, confirms the report. “But from the attacker’s side, those tokens were enough to act through the Microsoft account and access the app that had just handed them over. We confirmed the issue in [all six of the MS] Android apps.” Potential misuse of the tokens is huge. They are Microsoft FOCI tokens that could be reused and refreshed over long periods without anyone noticing. “Any attacker-controlled app could gain full access to Microsoft account data exposed through the affected app context,” warns Enclave. “This could be emails, files, documents, communications, and calendar information. It could also allow the attacker to read sensitive information, modify documents, or send communications through the access exposed by the token.” The firm reported the issues to Microsoft, and all were quickly confirmed. Microsoft fixed the flaws and issued CVE numbers CVE-2026-41100, -41101 and -41102 on May 12. Relevant patches were distributed through the firm’s Patch Tuesday mechanism, other than -41102 (the vulnerability in PowerPoint for Android) which was fixed and pushed as a patched build to the Google Play Store also on May 12. Android users should now be safe, provided their patching is up to date. “We reported the issues to MSRC, and all of them were confirmed and fixed,” concludes Enclave. “But the important part is this: a development setting reached production in several major apps and changed the behavior of a system protecting account access. That should be hard to do by accident. Here, it was not hard enough.” Related: New BTMOB Android Malware Enables Full Device Takeover Related: Critical Remote Code Execution Vulnerability Patched in Android Related: Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge CyberattacksNew Edamame Platform Aims to Catch AI Coding Agents Going Off the RailsThe Credential Crisis: How Stolen Credentials Defeat Modern Security‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery SystemsAppOmni’s Marlin AI Brings Autonomous Investigation to SaaS SecurityOpen Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker ImagesSupply Chain Security Crisis: Too Many Vulnerabilities, Too Little VisibilityAI-Powered App Attacks Are Faster, More Frequent and Harder to Stop Latest News Android Update Patches Exploited Zero-Day, 123 Other VulnerabilitiesAnthropic Expanding Mythos Access to 150 New OrganizationsThe Zero-Knowledge Threat Actor and the End of Responsible DisclosureCritical Vulnerability in HP VoIP Phones Enables Enterprise Network BreachesOracle WebLogic Vulnerability Exploited in the WildMeta AI Hands Over High-Profile Instagram Accounts to HackersSupply Chain Attack Hits 32 Red Hat NPM PackagesDashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveRapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosur

Entities