Skip to content

Microsoft 365 Android: Debug Flag Enabled Token Access by Third-Party Apps

The bottom line: An accidental configuration allowed third-party apps to access authentication tokens in Microsoft 365 Android applications.

An inadvertently enabled debug flag in Microsoft 365 apps for Android allowed other applications to retrieve authentication tokens. The vulnerability was patched on June 3.

During an update to Microsoft 365 apps for the Android operating system, Microsoft inadvertently enabled a debug flag that should normally only be active in developer versions. This flag exposed the internal token management to other applications installed on the device.

For CISOs and security officers, this represents a potential compromise of user accounts on endpoints. Attackers could have accessed authentication tokens through specially crafted apps and thereby hijack identities — without users or administrators being immediately aware of the compromise.

Microsoft patched the vulnerability on June 3. Organizations should verify whether and when affected versions were in use on their Android devices, and if necessary, activate security protocols for devices from this period.


Source: borncity.com · Published June 5, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.5.4.

Share on: