A significant security vulnerability in Microsoft 365 Android apps exposed billions of users to potential account takeovers. The flaw, known as FlagLeft, allowed unauthorized access to account tokens across six major apps, posing a substantial risk to user data and privacy.
Understanding the FlagLeft Vulnerability
The vulnerability stemmed from a development oversight where a debug flag, setIsDebugMode(true), was left active in production code. This flag disabled the authorization checks, enabling any third-party app on the same device to request and obtain valid Microsoft account tokens without user consent or notification.
These tokens are part of Microsoft’s FOCI mechanism, designed to facilitate seamless single sign-on across apps like Word, PowerPoint, and Excel. However, with the debug mode active, this trust mechanism was bypassed, allowing unauthorized apps to impersonate legitimate Microsoft applications.
Impact on Microsoft 365 Android Apps
The affected apps included Microsoft Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and Microsoft OneNote. The flaw was traced to a shared Microsoft SDK, which propagated the issue across these applications.
While Microsoft Teams remained unaffected due to a correctly configured debug flag, the vulnerability allowed attackers to access sensitive user data such as emails, files, and calendar events. This posed a significant threat as the tokens are long-lived and generate no abnormal activity, making detection difficult.
Response and Mitigation Measures
Upon discovery, Microsoft acted swiftly to patch the vulnerability across all affected apps. The company assigned CVEs to the issues, with varying severity scores, and urged users to update their apps to the latest versions.
Enterprise administrators were advised to ensure that updated versions are deployed across managed devices and to audit token activities for any anomalies using Microsoft Defender for Cloud Apps. This situation highlighted the importance of rigorous code reviews to prevent such oversights in production environments.
Research conducted by Enclave and Ofek Levin played a crucial role in identifying the vulnerability’s scope. Their work underscores the potential impact of a single line of code on global cybersecurity, emphasizing the need for vigilant security practices.
Conclusion
This incident serves as a stark reminder of the fragility of software security and the far-reaching consequences of development errors. As Microsoft continues to address the fallout, users and organizations alike are encouraged to remain vigilant and proactive in maintaining app security and updates.
