RSS

Flag turned Microsoft 365 apps into account takeover pipeline

talhof81 pts0 comments

FlagLeft: We Found A Forgotten Flag That Turned Microsoft 365 Apps Into a Silent Account Takeover Pipeline for Billions of Users | Enclave<br>Skip to main content<br>☰Scan free

Back to BlogFlagLeft: We Found A Forgotten Flag That Turned Microsoft 365 Apps Into a Silent Account Takeover Pipeline for Billions of Users<br>How a development flag left in production allowed any app on an Android device to silently take over a Microsoft account.<br>Yanir TsarimiCo-founder & CPOJune 2, 2026

A development flag left in production allowed any app on an Android device to silently take over a Microsoft account.<br>TL;DR & What Needs To Be Done:<br>Our research found that any app installed on the same Android device could silently access a Microsoft 365 account’s token. It could then act as the signed-in account (read email, open files, access documents, send messages, view calendars), without the user’s knowledge.<br>The issue has been patched, but if you use Microsoft 365 apps on Android, update them now. If your organization manages Android devices, make sure Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote are on patched versions.<br>Small Mistakes, Big Prices<br>A security check only works if it actually runs. In several Microsoft 365 Android apps, it didn’t.<br>We were looking at one of Microsoft’s Android apps when our AI analysis tool pointed out a vulnerability.<br>At first, it flagged that a sensitive security check was effectively disabled. Microsoft 365 apps have a feature that shares tokens between apps. If you log in to Word, you don’t need to log in again to PowerPoint. Makes sense.<br>However, our AI analysis produced a worrying result: not only was the authorization check disabled, it highlighted this vulnerability could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft SDK.<br>We quickly produced a working PoC on an Android device, and were able to access Microsoft account tokens from all the installed apps on our device through a third-party, unverified app, and even read emails:

From the user’s side, there is no indication something is happening. But from the attacker’s side, those tokens were enough to act through the Microsoft account access the app had just handed over.<br>We confirmed the issue in the following Android apps:<br>Word

PowerPoint

Excel

Microsoft 365 Copilot

Microsoft Loop

OneNote

What started as one strange token request turned into a Microsoft 365 account takeover issue across six production Android apps.<br>The Technical<br>Microsoft 365 apps on Android need a way to share account access.<br>This is not the bug; it’s how the app is supposed to work. If you’re already signed into Word, Microsoft doesn’t want you to sign in again every time another Microsoft app needs the same account.<br>The important part is the handoff.<br>When an app asks for account tokens, Microsoft needs to check who is asking. A trusted Microsoft app should be allowed through. A random app installed on the same phone? That’s a no.<br>So we made the request from an app that shouldn’t have been trusted, and the Microsoft app returned tokens anyway. Something in the authorization path was not behaving the way a production app should behave.<br>Debug Mode in Production?<br>The reason for the bug is very simple. Someone left debug mode enabled in production:<br>setIsDebugMode(true)<br>This was enabled across all six apps. However, in apps like Teams, it was disabled. Clearly someone made a mistake.<br>That alone is not always enough to prove impact. Sometimes a debug flag only affects logging or test output. Sometimes it looks bad but does not change anything meaningful.<br>This one changed the behavior around account token sharing.<br>With debug mode enabled, the protection that should have blocked untrusted apps from receiving tokens was skipped . A separate app on the device only had to make the right request. It did not need the user’s password or to display a login page, or a request for Android permissions that would make the user suspicious.<br>So the finding moved from “debug flag in production” to “account tokens returned to an unauthorized app.”<br>Copy & Paste<br>The next question was scope, was this an isolated issue or more? Every experienced researcher knows - where there’s one bug, there’s many more.<br>So we built that into our AI engine and it immediately flagged this finding for variant analysis.<br>So we tested another Microsoft app. Same result. Then we tested another. Vulnerable again.<br>Now the story changed even more: it wasn’t just a single app with a bad flag; it was the same pattern across Microsoft 365 Android apps. One simple mistake impacted apps totaling billions of downloads .<br>Tokens Allowed Extended Account Access<br>A token is not just a random string; it’s what lets an app act as the signed-in account for the access that token carries. The tokens were special “FOCI” tokens. FOCI tokens are specifically dangerous because they can be reused and refreshed over a long period of time, without anyone...

microsoft apps account android tokens flag

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.