Microsoft Patches Token Theft Flaw in Six Microsoft 365 Android Apps
Summary
A debug flag (setIsDebugMode(true)) in a shared Microsoft SDK caused six Microsoft 365 Android apps—Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot—to be vulnerable to token theft. A separate malicious app installed on the same device could request Microsoft account tokens without user interaction. Microsoft patched the issue and issued CVEs on May 12, 2026.
Source
Key quotes
· 4 pulledA debug flag enabled in six Microsoft 365 Android apps allowed a separate installed app on the same device to request Microsoft account tokens without user interaction.
The flaw was traced to setIsDebugMode(true), which skipped the check that blocks untrusted apps from receiving tokens.
The vulnerable logic was in a shared Microsoft SDK, so the misconfiguration appeared across all six apps.
Microsoft patched the issue and issued CVEs on May 12, 2026.
You might also wanna read
Windows 11 January 2026 Security Update Breaks Notepad and Snipping Tool with Dual Bugs
Microsoft's January 2026 security update for Windows 11 introduced two separate bugs that broke several core applications including Notepad
Microsoft Recall Fails to Block Sensitive Data Capture, Posing Security Risks
Microsoft Recall, an AI app designed to capture and search PC activity, fails to filter sensitive information like credit card numbers and p

ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
Anonymous researcher releases two new Windows zero-day exploits after Patch Tuesday
An anonymous security researcher (Nightmare-Eclipse/Chaotic Eclipse) has released two new Windows zero-day exploits — YellowKey (a BitLocker
Anonymous researcher releases two new Windows zero-day exploits after Patch Tuesday
An anonymous security researcher (Nightmare-Eclipse/Chaotic Eclipse) has released two new Windows zero-day exploits — YellowKey (a BitLocker
Microsoft 365 Copilot Vulnerability: Mermaid Diagram Attack Enables Data Exfiltration
A security researcher discovered a vulnerability in Microsoft 365 Copilot where specially crafted Office documents could trigger indirect pr
adamlogue.com·8mo agoMicrosoft zero-day feud escalates as researcher threatens major exploit release on July 14
The ongoing feud between Microsoft and security researcher Nightmare Eclipse (aka Chaotic Eclipse) has escalated, with the researcher having
Microsoft zero-day feud escalates as researcher threatens major exploit release on July 14
The ongoing feud between Microsoft and security researcher Nightmare Eclipse (aka Chaotic Eclipse) has escalated, with the researcher having

Comments
Sign in to join the conversation.
No comments yet. Be the first.