Microsoft 365 Android Apps Exposed User Tokens Due to Debug Flag Left in Production
A critical vulnerability in multiple Microsoft 365 Android apps dubbed FlagLeft by security researchers allowed unauthorized apps on the same device to obtain user account tokens, granting access to emails, files, calendars, and messages without authentication. The flaw stemmed from a debug flag (setIsDebugMode(true)) mistakenly left enabled in production builds, bypassing a security check designed to restrict token sharing to trusted Microsoft apps.
Affected apps included Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, collectively boasting billions of downloads. Microsoft Teams was unaffected, as its build had the flag disabled. The issue originated from a shared Microsoft SDK, meaning the same vulnerability appeared across all impacted apps.
The exposed tokens FOCI (Family of Client IDs) refresh tokens enabled persistent access, as they could be refreshed and reused over time. Attackers could exploit the flaw by installing a malicious app on the target device, with no visible signs of compromise for the user. Researchers at Enclave demonstrated a proof-of-concept attack, successfully extracting tokens and accessing email via an unverified third-party app.
Microsoft addressed the issue on May 12, assigning four CVEs:
- CVE-2026-41100 (Microsoft 365 Copilot, CVSS 4.4)
- CVE-2026-41101 (Word, CVSS 7.1)
- CVE-2026-41102 (PowerPoint, CVSS 7.1)
- CVE-2026-42832 (Excel, CVSS 7.7)
Loop and OneNote were also patched but did not receive separate CVEs in the May release. The fixed Word build (16.0.19822.20190) and corresponding updates for other apps were distributed via Google Play. Microsoft’s Patch Tuesday notes indicated no prior public disclosure or exploitation of the flaw.
While the patch closes the vulnerability, it does not invalidate tokens already obtained by attackers. Organizations managing Android fleets are advised to revoke refresh tokens for accounts on devices that ran vulnerable builds alongside untrusted apps to ensure full remediation.
Source: https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "mic1780511463",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Billions of users (collective '
'downloads of affected apps)',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Malicious app on the same device',
'customer_advisories': 'Users advised to update affected apps to the latest '
'versions via Google Play',
'data_breach': {'data_exfiltration': 'Possible via malicious apps',
'personally_identifiable_information': 'Yes (emails, '
'messages, files)',
'sensitivity_of_data': 'High (personally identifiable '
'information, corporate data)',
'type_of_data_compromised': 'User account tokens (FOCI '
'refresh tokens), emails, files, '
'calendars, messages'},
'date_resolved': '2024-05-12',
'description': 'A critical vulnerability in multiple Microsoft 365 Android '
'apps allowed unauthorized apps on the same device to obtain '
'user account tokens, granting access to emails, files, '
'calendars, and messages without authentication. The flaw '
'stemmed from a debug flag (`setIsDebugMode(true)`) mistakenly '
'left enabled in production builds, bypassing a security check '
'designed to restrict token sharing to trusted Microsoft apps.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unauthorized data access',
'data_compromised': 'User account tokens (FOCI refresh tokens), '
'emails, files, calendars, messages',
'identity_theft_risk': 'High (persistent access via refresh '
'tokens)',
'operational_impact': 'Unauthorized access to sensitive data '
'without authentication',
'systems_affected': 'Microsoft 365 Android apps (Word, PowerPoint, '
'Excel, Microsoft 365 Copilot, Microsoft Loop, '
'OneNote)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Importance of disabling debug flags in production builds, '
'shared SDK vulnerabilities can propagate across multiple '
'apps, need for token revocation mechanisms post-patch',
'post_incident_analysis': {'corrective_actions': 'Debug flag disabled in '
'production builds, patches '
'released for all affected '
'apps, token revocation '
'guidance provided',
'root_causes': 'Debug flag '
'(`setIsDebugMode(true)`) '
'mistakenly left enabled in '
'production builds of shared '
'Microsoft SDK'},
'recommendations': 'Revoke refresh tokens for accounts on devices with '
'vulnerable builds, update all affected apps to patched '
'versions, monitor for unauthorized access, implement '
'stricter app verification processes',
'references': [{'source': 'Enclave Security Research'},
{'source': 'Microsoft Patch Tuesday Notes'},
{'source': 'Google Play Updates'}],
'response': {'communication_strategy': 'Patch Tuesday notes, Google Play '
'updates',
'containment_measures': 'Patch released for affected apps via '
'Google Play',
'recovery_measures': 'Organizations advised to revoke refresh '
'tokens for accounts on devices that ran '
'vulnerable builds alongside untrusted apps',
'remediation_measures': 'Fixed builds distributed (e.g., Word '
'build 16.0.19822.20190), debug flag '
'disabled',
'third_party_assistance': 'Enclave (security researchers)'},
'stakeholder_advisories': 'Organizations managing Android fleets advised to '
'revoke refresh tokens for affected accounts',
'title': 'Microsoft 365 Android Apps Exposed User Tokens Due to Debug Flag '
'Left in Production',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Debug flag (`setIsDebugMode(true)`) left in '
'production builds'}