By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Cybersecurity Beat
Search
  • Home
  • News & Alerts
  • Articles
  • Features
  • Spotlight
  • About
    • Mission
    • Services
    • Contact
Reading: Forgotten Debug Flag in Microsoft 365 Android Apps Exposed Account Tokens to Any App
  • AI
  • Android
  • Authentication
  • Breaches
  • CASB
  • Compliance
  • Cryptography
  • Cyberinsurance
  • EDR
  • IAM
  • Malware
  • Phishing
  • Quantum
  • Ransomware
  • SecOps
  • SIEM
  • SOC
  • Threat Intelligence
  • Vulnerabilities
  • Zero Trust
Cybersecurity BeatCybersecurity Beat
Font ResizerAa
Search
  • News & Alerts
  • Articles
  • Spotlight
  • Features
  • Resources
Follow US
  • About CSB
  • Services
  • Contact
  • Privacy
  • Legal
©2026 CybersecurityBeat. All Rights Reserved.
News & Alerts

Forgotten Debug Flag in Microsoft 365 Android Apps Exposed Account Tokens to Any App

An overlooked debug flag in six Microsoft 365 Android apps allowed any untrusted app on the device to silently steal Microsoft account tokens, bypassing all authorization checks.

CSBadmin
Last updated: June 3, 2026 11:02 am
CSBadmin
2 Min Read
Share
SHARE

The Root Cause: A Debugging Oversight

A single line of debug code left enabled in production builds of six Microsoft 365 Android apps silently handed over user account tokens to any third-party app on the same device, without any notification or consent. Security researchers discovered that the flag `setIsDebugMode(true)` remained active in the shared Microsoft SDK used by Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and Microsoft OneNote. This flag turned off the authorization check that normally restricts token requests to trusted Microsoft applications only. Microsoft Teams was not affected because its debug flag was correctly set to false in production.

Contents
The Root Cause: A Debugging OversightHow the Attack Worked and Its Impact

How the Attack Worked and Its Impact

The vulnerability exploited Microsoft’s FOCI (Family of Client IDs) token sharing system, which is designed to enable seamless single sign-on across the Microsoft 365 suite. Normally, FOCI allows legitimate Microsoft apps to request tokens from each other without requiring separate logins. However, with debug mode activated, any co-installed, untrusted third-party app could make the same token request and receive valid, long-lived, refreshable Microsoft account tokens. An attacker could then silently read emails, access OneDrive files, send messages, and view calendar data, all under the identity of the signed-in user, with no suspicious activity appearing in logs. Microsoft has patched all reported issues, assigning severity ratings ranging from medium to high.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:Account TakeoverAndroidDebug ModeSDK Vulnerability
Share This Article
Facebook Print
ByCSBadmin
Follow:
The latest in cybersecurity news and updates.
Previous Article HTTP/2 Attack Chokes Major Web Servers With Memory Exhaustion
Next Article Microsoft Silently Fixes Azure Backup for AKS Privilege Escalation Vulnerability

Trending

Spirals ransomware encrypts victim networks in under 24 hours
July 18, 2026
Zoom patches critical Windows flaw that allows account takeover
July 19, 2026
Russian hackers use fake Webex and Zoom installers to deliver Starland RAT
July 18, 2026
New NadMesh botnet hunts exposed AI services for cloud credentials
July 18, 2026
Grok Build uploaded entire Git repositories to xAI cloud storage
July 19, 2026

Related Stories

CSBadmin

Simple Tricks Bypass AI Skill Security Scanners in Major Platforms

CSBadmin

AI Coding Tools Fuel a New Wave of Low Skill High Impact Cyber Attacks

CSBadmin

Multiple Vendors Issue Critical Security Patches for Code Execution and Injection Flaws

CSBadmin

Critical Flaw in Gogs Code Collaboration Platform Allows Unauthorized Repository Access

csb-sized
  • About CSB
  • Services
  • Contact
  • Privacy
  • Legal

© 2026 Cybersecurity Beat. All rights reserved.

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?