Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag
Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag
https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html
Publish Date: 2026-06-03 10:56:00
Source Domain: thehackernews.com
A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps.
Any other app on the same phone could ask for the signed-in user’s token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.
Microsoft has patched it, and if you run Microsoft 365 apps on Android, update them.
The bug, which Enclave calls FlagLeft, hit Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, six apps with billions of downloads between them. Teams shipped with the same flag set to false and were not affected, which Enclave reads as a slip rather than a design.
Microsoft 365 apps share account access on purpose, so signing into Word means you do not sign in again for PowerPoint. The handoff is supposed to verify who is asking and turn away anything that is not a trusted Microsoft app.
Enclave’s Yanir Tsarimi and Ofek Levin found the check was being skipped because of a single line left in the shipping code: setIsDebugMode(true). The flaw sat in a shared Microsoft SDK, so the same hole showed up in app after app.
The tokens handed over were FOCI tokens, the family refreshes tokens Microsoft uses for single sign-on across its apps. They can be refreshed and reused over long stretches, and the resulting traffic looks routine in logs. From the user’s side, nothing visible happens.
Enclave built a working proof of concept that pulled tokens through an unverified third-party app and read email with them. Microsoft classifies these as local spoofing flaws; in plain terms, a malicious app already on the device is all it takes.
Microsoft issued four CVEs on May 12, all classed as spoofing under improper access control (CWE-284):…
