Ethical Hacking News
A new vulnerability has been discovered in Microsoft 365 Android apps that allows any app on the same device to steal account tokens from users. The bug, known as "FlagLeft," was identified by Enclave researchers and affects several popular apps, including Word, PowerPoint, Excel, and OneNote. Microsoft has issued patches for the affected apps, but it's essential for users to update their apps immediately and take steps to protect themselves from potential attacks.
The recent discovery of a critical vulnerability in Microsoft 365 Android apps has allowed any app on the same device to steal account tokens from users. The bug, dubbed "FlagLeft," affects several popular Microsoft 365 Android apps, including Word, PowerPoint, and Excel. The vulnerability occurs due to a single line of code left in the shipping process, which enables debug mode and disables security controls. Microsoft has issued four CVEs for this vulnerability, with CVSS scores ranging from 4.4 to 7.7. The affected apps include Microsoft 365 Copilot, Word, PowerPoint, and Excel, but Teams is the only app that was not affected due to a different flag being set to false.
The recent discovery of a critical vulnerability in Microsoft 365 Android apps has sent shockwaves throughout the cybersecurity community. The bug, which Enclave researchers Yanir Tsarimi and Ofek Levin identified, allows any app on the same device to steal account tokens from Microsoft 365 users, effectively bypassing security controls and granting unauthorized access to sensitive user data.
The vulnerability, dubbed "FlagLeft," was discovered in several popular Microsoft 365 Android apps, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. These apps are used by millions of people worldwide, and the discovery of this bug highlights the importance of regular security updates and patches.
The vulnerability occurs due to a single line of code left in the shipping process, which enables debug mode and disables the check that limits account-token sharing to trusted Microsoft apps. This allows any app on the same device to request the signed-in user's token, which can then be used to access sensitive data, including email, files, calendar events, and messages.
Microsoft has issued four CVEs (Common Vulnerability and Exposure) for this vulnerability, with CVSS scores ranging from 4.4 to 7.7. The affected apps include Microsoft 365 Copilot, Word, PowerPoint, and Excel, with Teams being the only app that was not affected due to a different flag being set to false.
The Enclave researchers built a working proof-of-concept that demonstrated how the vulnerability could be exploited by pulling tokens through an unverified third-party app and reading email with them. This highlights the potential severity of the bug and emphasizes the need for users to update their apps to the latest versions as soon as possible.
Microsoft has patched this vulnerability, but it's essential to note that the patch does not retroactively eliminate existing tokens held by attackers. FOCI (Family Refresh Tokens) refresh tokens can outlive an app update, so users who ran old builds alongside untrusted apps on devices should consider revoking their refresh tokens and forcing a fresh sign-in.
This discovery serves as a reminder of the importance of regular security updates and the need for developers to thoroughly test their code before releasing it. It also highlights the importance of user awareness and education in maintaining their own security.
In light of this vulnerability, security teams managing Android fleets should push the latest updates through MDM (Mobile Device Management) systems and confirm that devices are running builds earlier than 16.0.19822.20190. Users who have been affected by this bug are advised to update their apps immediately and take steps to protect themselves from potential attacks.
Furthermore, this vulnerability demonstrates the need for more comprehensive security controls and measures to prevent such exploits in the future. It is essential for developers, policymakers, and individuals to work together to create a safer online environment.
In conclusion, the recent discovery of this critical vulnerability in Microsoft 365 Android apps underscores the importance of regular security updates, user awareness, and responsible development practices. By taking proactive steps to address this bug and educate users about potential threats, we can reduce the risk of attacks and maintain a safer digital ecosystem.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Microsoft-365-Android-Apps-A-Threat-to-User-Identity-and-Security-ehn.shtml
https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html
Published: Wed Jun 3 16:44:31 2026 by llama3.2 3B Q4_K_M
