[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx9qcBQ7NtI0OJ1JJVvbW6pv3SnMwUtMxqrW9cYhcJ8g":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"189a66bf-b8b5-45e2-a320-5eae9d1bcc5a","Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag","microsoft-365-android-apps-let-any-app-steal-account-tokens-via-leftover-debug-f-2592a5","A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.","A development flag (setIsDebugMode(true)) left enabled in production builds of Microsoft 365 Android apps (Word, PowerPoint, Excel, Copilot, Loop, OneNote) disabled token-sharing validation, allowing any app on the device to steal FOCI tokens and impersonate users without authentication. Microsoft patched the vulnerability (CVE-2026-41100\u002F41101\u002F41102\u002F42832) in May 2026; users should update immediately and consider revoking refresh tokens on potentially compromised devices.","Microsoft 365 Android apps leak account tokens via leftover debug flag in production builds.","Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Swati KhandelwalJun 03, 2026Vulnerability \u002F Mobile Security A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt. Microsoft has patched it, and if you run Microsoft 365 apps on Android, update them. The bug, which Enclave calls FlagLeft, hit Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, six apps with billions of downloads between them. Teams shipped with the same flag set to false and were not affected, which Enclave reads as a slip rather than a design. Microsoft 365 apps share account access on purpose, so signing into Word means you do not sign in again for PowerPoint. The handoff is supposed to verify who is asking and turn away anything that is not a trusted Microsoft app. Enclave's Yanir Tsarimi and Ofek Levin found the check was being skipped because of a single line left in the shipping code: setIsDebugMode(true). The flaw sat in a shared Microsoft SDK, so the same hole showed up in app after app. The tokens handed over were FOCI tokens, the family refreshes tokens Microsoft uses for single sign-on across its apps. They can be refreshed and reused over long stretches, and the resulting traffic looks routine in logs. From the user's side, nothing visible happens. Enclave built a working proof of concept that pulled tokens through an unverified third-party app and read email with them. Microsoft classifies these as local spoofing flaws; in plain terms, a malicious app already on the device is all it takes. Microsoft issued four CVEs on May 12, all classed as spoofing under improper access control (CWE-284): CVE-2026-41100 for Microsoft 365 Copilot (CVSS 4.4), CVE-2026-41101 for Word (CVSS 7.1), CVE-2026-41102 for PowerPoint (CVSS 7.1), and CVE-2026-42832 for Excel (CVSS 7.7). The four CVEs cover Copilot, Word, PowerPoint, and Excel. Enclave reported the same flaw in Loop and OneNote, but neither got a separate CVE in the May batch. NVD lists the patched Word build for Android as 16.0.19822.20190, with earlier versions affected. The other apps were fixed through the same Google Play updates. Nothing in Microsoft's May Patch Tuesday release was listed as publicly known or exploited, and there is no public evidence that the flaw was used before the fix. What to do? Update Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote from Google Play. Security teams managing Android fleets should push the updates through MDM and confirm devices are off builds earlier than 16.0.19822.20190. The patch closes the hole, but it does not retroactively kill tokens that an attacker may already hold. FOCI refresh tokens outlive an app update, so for accounts on devices that ran an old build alongside untrusted apps, it is worth revoking refresh tokens and forcing a fresh sign-in. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, cybersecurity, Microsoft, Microsoft 365, mobile security, Patch Management, Vulnerability ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmicrosoft-365-android-apps-let-any-app.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEh_pEYWDRVadGL0WYM3iSY6jqFgBez8snXgoyeyAzcXNmxiytv-FgiKoBJX3aPivuYhSJjXp4o_zO1dQSIPUfduaAlB-rvSti7pFhdDZSrAa-ennBdfdVpe1Xo0dMxKATB8te61pyJAf60x5CP6OJzjzmtpFIg_qHQqA7VP-rUnEpaT37Z0qBOmbZ52BfM\u002Fs1600\u002Fms-android.jpg","2026-06-03T14:56:35+00:00","2026-06-03T22:00:23.210691+00:00",9,[18,21,24,26,28,30],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":23},"Microsoft 365","product",{"name":25,"type":23},"Word",{"name":27,"type":23},"PowerPoint",{"name":29,"type":23},"Excel",{"name":31,"type":23},"Microsoft 365 Copilot","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",[49,53,56,59],{"type":50,"value":51,"context":52},"cve","CVE-2026-41100","Microsoft 365 Copilot token theft vulnerability (CVSS 4.4)",{"type":50,"value":54,"context":55},"CVE-2026-41101","Microsoft Word token theft vulnerability (CVSS 7.1)",{"type":50,"value":57,"context":58},"CVE-2026-41102","Microsoft PowerPoint token theft vulnerability (CVSS 7.1)",{"type":50,"value":60,"context":61},"CVE-2026-42832","Microsoft Excel token theft vulnerability (CVSS 7.7)"]