The Root Cause: A Debugging Oversight
A single line of debug code left enabled in production builds of six Microsoft 365 Android apps silently handed over user account tokens to any third-party app on the same device, without any notification or consent. Security researchers discovered that the flag `setIsDebugMode(true)` remained active in the shared Microsoft SDK used by Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and Microsoft OneNote. This flag turned off the authorization check that normally restricts token requests to trusted Microsoft applications only. Microsoft Teams was not affected because its debug flag was correctly set to false in production.
How the Attack Worked and Its Impact
The vulnerability exploited Microsoft’s FOCI (Family of Client IDs) token sharing system, which is designed to enable seamless single sign-on across the Microsoft 365 suite. Normally, FOCI allows legitimate Microsoft apps to request tokens from each other without requiring separate logins. However, with debug mode activated, any co-installed, untrusted third-party app could make the same token request and receive valid, long-lived, refreshable Microsoft account tokens. An attacker could then silently read emails, access OneDrive files, send messages, and view calendar data, all under the identity of the signed-in user, with no suspicious activity appearing in logs. Microsoft has patched all reported issues, assigning severity ratings ranging from medium to high.
Source: Cyber Security News
