A recently discovered vulnerability in several Microsoft 365 Android applications allowed unauthorized access to user account tokens, potentially exposing sensitive data. The flaw originated from a development flag inadvertently left enabled in production versions of apps such as Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. This oversight disabled the security check that restricts token sharing to trusted Microsoft applications.
As a result, any application installed on the same device could request and obtain the signed-in user’s token without requiring a password, login prompt, or user consent. With access to these tokens, malicious apps could read emails, access files, view calendar events, and send messages on behalf of the user.
Microsoft has addressed this issue by releasing patches for the affected applications. Users are strongly advised to update their Microsoft 365 apps via the Google Play Store to ensure they are protected from potential exploitation.
The vulnerability, dubbed ‘FlagLeft’ by security firm Enclave, affected six widely used applications with billions of downloads collectively. Notably, Microsoft Teams was not impacted, as it had the debug flag correctly set to false, suggesting the issue was an oversight rather than a deliberate design choice.
Microsoft 365 apps are designed to share account access to facilitate seamless user experiences across different services. However, this functionality relies on verifying the requesting application’s authenticity. Enclave researchers Yanir Tsarimi and Ofek Levin discovered that the security check was bypassed due to a single line of code: setIsDebugMode(true). This flaw resided in a shared Microsoft software development kit (SDK), causing multiple applications to inherit the vulnerability.
The compromised tokens, known as Family of Client IDs (FOCI) tokens, are used by Microsoft for single sign-on across its applications. These tokens can be refreshed and reused over extended periods, making unauthorized access difficult to detect, as the resulting traffic appears routine in logs. From the user’s perspective, no visible signs indicate that their account has been compromised.
Enclave developed a proof-of-concept demonstrating how a malicious third-party app could exploit this vulnerability to extract tokens and access user emails. Microsoft categorized these as local spoofing flaws, meaning that a malicious app already installed on the device could exploit the issue.
On May 12, Microsoft issued four Common Vulnerabilities and Exposures (CVEs) related to this flaw, all classified under improper access control (CWE-284):
- CVE-2026-41100 for Microsoft 365 Copilot (CVSS 4.4)
- CVE-2026-41101 for Word (CVSS 7.1)
- CVE-2026-41102 for PowerPoint (CVSS 7.1)
- CVE-2026-42832 for Excel (CVSS 7.7)
While Enclave reported the same flaw in Loop and OneNote, these applications did not receive separate CVEs in the May batch. The patched version for Word on Android is 16.0.19822.20190, with earlier versions being vulnerable. The other affected applications were similarly updated through the Google Play Store.
There is currently no public evidence that this vulnerability was exploited before the fix. However, users should update their Microsoft 365 applications promptly. Security teams managing Android devices should ensure that all devices are running the patched versions and consider revoking existing refresh tokens to force fresh sign-ins, as FOCI tokens can persist beyond app updates.
This incident underscores the importance of thorough code reviews and testing before releasing software to production. A single overlooked line of code can have significant security implications, potentially exposing millions of users to data breaches. Organizations must implement robust development and deployment processes to prevent such oversights.
Source: The Hacker News
