CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users

Cybersecurity News Archived Jun 03, 2026 ✓ Full text saved

A single forgotten development flag left active in production code silently handed Microsoft account tokens to any app on an Android device, exposing billions of users across six major Microsoft 365 apps to account takeover without any interaction or consent. The vulnerability, dubbed FlagLeft, allowed any third-party app on the same Android device to silently request […] The post Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users By Abinaya June 3, 2026 A single forgotten development flag left active in production code silently handed Microsoft account tokens to any app on an Android device, exposing billions of users across six major Microsoft 365 apps to account takeover without any interaction or consent. The vulnerability, dubbed FlagLeft, allowed any third-party app on the same Android device to silently request and receive valid Microsoft account tokens without triggering a login prompt, a permission request, or a user notification. The root cause was remarkably simple: a single line of debug code, setIsDebugMode(true), had been left enabled in production builds. That flag turned off the authorization check designed to ensure that only trusted Microsoft apps could request account tokens from other Microsoft apps on the same device. The vulnerability was confirmed across Microsoft Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and Microsoft OneNote on Android. Microsoft Teams was not affected; its debug flag was correctly set to false in production. Because the vulnerable flag lived inside a shared Microsoft SDK, the same flawed code propagated across all six apps simultaneously. Microsoft 365 Android Apps Account Takeover Vulnerability Microsoft 365 apps use a token-sharing mechanism called FOCI (Family of Client IDs) to enable seamless single sign-on across the app suite. Logging into Word, for example, means PowerPoint or Excel does not require a separate login, which is a legitimate and intended design. However, setIsDebugMode(true) bypassed the trust verification step that separates a legitimate Microsoft app from an untrusted third-party app. These tokens are especially dangerous because they are long-lived, refreshable, and generate no suspicious activity in logs the traffic looks entirely normal. With debug mode active, any co-installed app could make the same token request and receive full FOCI tokens in return. An attacker exploiting this flaw could silently read emails, access OneDrive files, send messages, and view calendar data, all under the identity of the signed-in user. MSRC confirmed and patched all reported issues, assigning multiple CVEs. CVE-2026-41100 covers Microsoft 365 Copilot for Android with a CVSS score of 4.4 (Medium). CVE-2026-41101 covers Word for Android and CVE-2026-41102 covers PowerPoint for Android, both rated 7.1 (High). Microsoft Office for Android carries a CVSS score of 7.7 (Important). All issues fall under CWE-284 Improper Access Control, published May 12, 2026. Impact and Remediation Researchers at Enclave and Ofek Levin uncovered a critical flaw in a shared Microsoft SDK used across multiple Microsoft 365 Android apps. The combined installs across the six affected apps span billions of Android devices globally. Every signed-in user was potentially exposed to silent token theft by any co-installed app, with no visible indicator of compromise on the user’s side. Microsoft has patched all six apps, and users must immediately update Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote to their latest Android versions. Enterprise MDM administrators should confirm that patched versions are deployed across managed devices and audit OAuth token activity in Microsoft Defender for Cloud Apps for any anomalous behavior. This case demonstrates how a single development artifact, one boolean flag, can collapse an entire authentication trust model when it escapes into production. The flaw was not in the FOCI token-sharing design itself, but in the missing gate that controls access to it. Because the code was shared across an SDK, one oversight instantly affected six major apps and billions of users at once. Enclave’s AI-assisted variant analysis was critical in rapidly mapping the full scope of the vulnerability across the entire Microsoft 365 Android portfolio. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains New BTMOB Malware Lets Attackers Remotely Control Android Devices Hackers Use 34 Malicious Packages to Steal Cloud Keys, Wallets, and SSH Credentials Latest News Cyber Security HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora Cyber Security 1-Click GitHub Token Vulnerability Lets Attackers Steal Users’ OAuth Tokens Cyber Security News WordPress Malware Abuses Steam Community Profiles for C2 Operations Cyber Security News Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign Cyber Security Attackers Abuse AWS, Google Cloud, Cloudflare, and Microsoft Services to Hide Malicious Traffic
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗