Skip to content

Microsoft 365 Apps for Android: Debug Flag Enables Token Theft

The point: An active debug flag in Microsoft 365 Android apps allowed arbitrary apps on the device to steal authentication tokens and take over user accounts completely.

In several Microsoft 365 Android apps, a developer flag was enabled that disabled a security check and gave arbitrary apps access to account tokens. Attackers could impersonate users without a password or consent.

In production builds of several Microsoft 365 Android apps, a developer flag was enabled that disabled the control limiting token release to trusted Microsoft apps. This security check was supposed to prevent apps other than Microsoft from requesting authentication tokens.

Through this vulnerability, any other app on the same device could request the logged-in user’s token and receive it without a prompt. With the token, attackers could access emails, open files, view calendars, and send messages — all in the name of the affected user, without the user entering a password, signing in, or granting any permission.

For CISOs, this represents a significant risk on devices with Microsoft 365 Mobile Apps. If a malicious or compromised application is installed on an Android device, it can gain full access to Microsoft 365 accounts. This affects confidentiality, integrity, and availability of business-critical data as well as external attacks via compromised user accounts.


Source: thehackernews.com · Published June 3, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: