A critical vulnerability in Microsoft 365 Android applications has been identified, potentially allowing unauthorized access to user accounts without any user interaction. This flaw, termed ‘FlagLeft,’ affects six major Microsoft 365 apps: Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote.
The issue originated from a development oversight where a debug flag, setIsDebugMode(true), was inadvertently left active in production code. This misconfiguration disabled the authorization checks that normally restrict token requests to trusted Microsoft applications. Consequently, any third-party app installed on the same Android device could silently request and obtain valid Microsoft account tokens, bypassing login prompts and user consent.
These tokens, being long-lived and refreshable, granted attackers the ability to access emails, OneDrive files, send messages, and view calendar data, all under the guise of the legitimate user. Notably, Microsoft Teams remained unaffected as its debug flag was correctly set to false in production.
Microsoft has addressed this vulnerability by releasing patches for all affected applications. Users are strongly advised to update Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote to their latest versions on Android devices. Enterprise administrators should ensure that these updates are deployed across all managed devices and monitor OAuth token activity through Microsoft Defender for Cloud Apps.
This incident underscores the critical importance of rigorous code review and testing processes, especially concerning development configurations. A single overlooked setting can expose millions to potential security breaches. Organizations must prioritize comprehensive security assessments to prevent such vulnerabilities from reaching production environments.
Source: CyberSecurityNews
