All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Microsoft Patches Token Theft Flaw in Six Microsoft 365 Android Apps

1mo ago· 1 min readenNews

Summary

A debug flag (setIsDebugMode(true)) in a shared Microsoft SDK caused six Microsoft 365 Android apps—Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot—to be vulnerable to token theft. A separate malicious app installed on the same device could request Microsoft account tokens without user interaction. Microsoft patched the issue and issued CVEs on May 12, 2026.

Source

bskyMicrosoft Patches Token Theft Flaw in Six Microsoft 365 Android Appsbriefly.co

Key quotes

· 4 pulled
A debug flag enabled in six Microsoft 365 Android apps allowed a separate installed app on the same device to request Microsoft account tokens without user interaction.
The flaw was traced to setIsDebugMode(true), which skipped the check that blocks untrusted apps from receiving tokens.
The vulnerable logic was in a shared Microsoft SDK, so the misconfiguration appeared across all six apps.
Microsoft patched the issue and issued CVEs on May 12, 2026.
Snippet from the RSS feed
A production debug setting in shared Microsoft 365 Android SDKs let other apps request Microsoft account tokens without user interaction.

You might also wanna read

Windows 11 January 2026 Security Update Breaks Notepad and Snipping Tool with Dual Bugs

Microsoft's January 2026 security update for Windows 11 introduced two separate bugs that broke several core applications including Notepad

winbuzzer.com·5mo ago

Microsoft Recall Fails to Block Sensitive Data Capture, Posing Security Risks

Microsoft Recall, an AI app designed to capture and search PC activity, fails to filter sensitive information like credit card numbers and p

theregister.com·11mo ago

ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds

BleepingComputer·2d ago

Anonymous researcher releases two new Windows zero-day exploits after Patch Tuesday

An anonymous security researcher (Nightmare-Eclipse/Chaotic Eclipse) has released two new Windows zero-day exploits — YellowKey (a BitLocker

theregister.com·1mo ago

Anonymous researcher releases two new Windows zero-day exploits after Patch Tuesday

An anonymous security researcher (Nightmare-Eclipse/Chaotic Eclipse) has released two new Windows zero-day exploits — YellowKey (a BitLocker

theregister.com·1mo ago

Microsoft 365 Copilot Vulnerability: Mermaid Diagram Attack Enables Data Exfiltration

A security researcher discovered a vulnerability in Microsoft 365 Copilot where specially crafted Office documents could trigger indirect pr

adamlogue.com·8mo ago

Microsoft zero-day feud escalates as researcher threatens major exploit release on July 14

The ongoing feud between Microsoft and security researcher Nightmare Eclipse (aka Chaotic Eclipse) has escalated, with the researcher having

theregister.com·1mo ago

Microsoft zero-day feud escalates as researcher threatens major exploit release on July 14

The ongoing feud between Microsoft and security researcher Nightmare Eclipse (aka Chaotic Eclipse) has escalated, with the researcher having

theregister.com·1mo ago

Comments

Sign in to join the conversation.

No comments yet. Be the first.