Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

2026-06-03

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

A debug flag left enabled in Microsoft 365 Android apps bypassed token-sharing security checks, allowing any app on the device to steal account tokens and access email, files, calendar, and messages.

•Vulnerability called FlagLeft was caused by setIsDebugMode(true) left in production code within a shared Microsoft SDK
•Affected six apps: Word, PowerPoint, Excel, Copilot, Loop, and OneNote with billions of downloads combined
•Attackers could obtain FOCI refresh tokens that persist across app updates and allow long-term unauthorized access
•Microsoft issued four CVEs with CVSS scores ranging from 4.4 to 7.7, patching through Google Play updates
•Users should update affected apps and revoke refresh tokens to prevent unauthorized access from previously compromised devices

Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Veeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code

Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues