Microsoft has recently addressed a critical vulnerability in several of its 365 Android applications that previously allowed unauthorized applications to gain access to account tokens of signed-in users. This issue, which was rooted in a leftover debug flag, affected popular apps such as Word, PowerPoint, Excel, Copilot, Loop, and OneNote, necessitating users to update their apps immediately to protect their accounts.
Security Flaw Details
The flaw was discovered in production builds of these apps, where a development flag unintentionally left active disabled the restriction that should have limited account token sharing to verified Microsoft applications only. Consequently, any third-party app on the same device could request and obtain these tokens, enabling them to access emails, files, calendar events, and more without any user authentication or prompt.
Enclave, the security firm that uncovered this vulnerability, dubbed it ‘FlagLeft’. The issue was attributed to a single line in the code: setIsDebugMode(true), which bypassed essential security checks. Notably, Microsoft Teams was not impacted due to the debug flag being correctly set to false.
Impact and Resolution
Microsoft’s suite of applications uses FOCI tokens to facilitate single sign-on across its platforms. These tokens, which can be refreshed and reused over extended periods, make user activity appear normal, thus potentially obscuring unauthorized access. Enclave demonstrated the vulnerability through a proof of concept, showing how a malicious app could exploit this flaw.
In response, Microsoft released fixes for the affected applications via Google Play updates. On May 12, four Common Vulnerabilities and Exposures (CVEs) were issued, highlighting the severity of the issue. These include CVE-2026-41100 for Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 for Excel. Although similar flaws were present in Loop and OneNote, these apps did not receive individual CVEs in the May update.
Preventive Measures and Recommendations
While Microsoft has patched the vulnerability, the old tokens that attackers might already possess are not automatically invalidated. It is crucial for users and security teams to update their Microsoft 365 apps promptly. For organizations managing Android devices, deploying updates via Mobile Device Management (MDM) systems is recommended to ensure all devices run the latest secure versions.
Furthermore, it’s advisable for users to revoke any existing refresh tokens and initiate new sign-ins, particularly on devices that previously operated outdated app versions alongside untrusted applications. This precaution helps mitigate risks associated with potential token theft.
Overall, staying vigilant with software updates and security practices remains essential in safeguarding personal and organizational data against such vulnerabilities.
