Microsoft patched a security flaw in six [1] of its Android apps that allowed any application on a device to steal user account tokens.
The vulnerability exposed sensitive data across billions [3] of app downloads, potentially giving malicious software the ability to impersonate users and access private corporate or personal information.
Security researcher Enclave discovered that a leftover debug flag remained enabled in production builds of the software [1]. This flag disabled the security check normally used to limit token sharing to trusted Microsoft applications [2]. Because the check was inactive, any app installed on the same Android device could request and obtain the signed-in user's Microsoft 365 account token [1].
Once an attacker obtained this token, they could act as the user without needing a password [1]. This access allowed for the reading of emails, opening of files, browsing of calendars, and sending of messages [1]. The flaw affected a wide range of productivity tools, including Outlook, Teams, Word, Excel, PowerPoint, and OneDrive [2].
Microsoft released patches to resolve the coding error on May 12, 2026 [1]. The company removed the debug flag to ensure that token-sharing checks are properly enforced across all production versions of the apps [2].
The flaw was publicly disclosed earlier this month [1]. The discovery highlights the risks associated with development tools and debug flags leaking into final software releases, a common but dangerous oversight in complex mobile environments [2].
“Any app on the same Android device could request and obtain the signed-in user's Microsoft 365 account token.”
This incident underscores the critical impact of 'configuration drift' where development settings accidentally persist in live environments. Because these apps are central to corporate workflows, the ability for a third-party app to bypass authentication tokens represents a significant systemic risk to enterprise security, emphasizing the need for more rigorous automated audits of production binaries.
'%2F%3E%0A%20%20%20%20%3Crect%20width%3D'1600'%20height%3D'900'%20fill%3D'url(%23v)'%2F%3E%0A%20%20%20%20%3Cg%20opacity%3D'0.08'%20fill%3D'%23ffffff'%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1420'%20cy%3D'180'%20r%3D'220'%2F%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1500'%20cy%3D'760'%20r%3D'120'%2F%3E%0A%20%20%20%20%3C%2Fg%3E%0A%20%20%20%20%3Cline%20x1%3D'80'%20y1%3D'172'%20x2%3D'220'%20y2%3D'172'%20stroke%3D'%23ffffff'%20stroke-width%3D'3'%20stroke-opacity%3D'0.6'%2F%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'140'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'700'%20font-size%3D'28'%20fill%3D'%23ffffff'%20letter-spacing%3D'6'%3EHANNA%20%C2%B7%20NEWS%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'230'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'600'%20font-size%3D'40'%20fill%3D'%23ffffffb3'%20letter-spacing%3D'4'%3ETECH%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'694'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'110'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EApple%20to%20Permanently%20Close%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'820'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'110'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EThree%20US%20Retail%20Stores%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'870'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'500'%20font-size%3D'22'%20fill%3D'%23ffffff66'%20letter-spacing%3D'2'%3Enews.hanna-ai.com%3C%2Ftext%3E%0A%20%20%3C%2Fsvg%3E)
