VYPR
patchPublished Jun 2, 2026· Updated Jun 3, 2026· 4 sources

Microsoft Android Apps Vulnerable to Token Theft via Debug Flag Flaw

A single line of debug code left in six Microsoft 365 Android apps could have exposed billions of app downloads to unauthorized access to Microsoft account tokens.

Six widely used Microsoft 365 Android applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—harbored a critical vulnerability stemming from a single line of debug code left in their production builds. This oversight, specifically the IsDebugMode(true) flag, inadvertently disabled security measures designed to protect user authentication tokens, potentially putting billions of app downloads at risk.

The vulnerability was discovered by Enclave, an AI-powered exploitable bug hunter, and shared exclusively with SecurityWeek. The debug flag altered the application's behavior concerning account access token sharing. Normally, Microsoft's apps are designed to securely pass authentication tokens between authorized Microsoft applications on the same device without requiring repeated user logins. However, the enabled debug mode bypassed the intended restriction, allowing any malicious Android application to request and receive these sensitive Microsoft account tokens.

Exploiting this flaw required minimal effort from an attacker. A malicious app or code snippet, as short as 15 lines, could be developed to request Microsoft app access. The primary challenge for attackers would be distributing such an app to a large number of Android devices. Once installed, the malicious code could stealthily request tokens from affected Microsoft apps, receive them, and exfiltrate them back to the attacker without the user's knowledge.

"The attacker could just write a snippet that is 15 lines of code. It just seeks access to the MS app and is given the token," explained Yanir Tsarimi, co-founder and CPO at Enclave. "It doesn’t get any simpler than that, because it’s just a feature that is supposed to be there." The core issue was not the token-sharing mechanism itself, but the accidental enabling of a debug setting that removed the crucial restriction to only other Microsoft apps.

The potential impact of this vulnerability is significant. The stolen Microsoft FOCI tokens could be reused and refreshed over extended periods, granting attackers prolonged access. "Any attacker-controlled app could gain full access to Microsoft account data exposed through the affected app context," warned Enclave. This could include sensitive data such as emails, files, documents, communications, and calendar information, enabling attackers to read, modify, or even send communications on behalf of the compromised user.

Enclave promptly reported the findings to Microsoft, which confirmed and addressed the vulnerabilities. Microsoft issued CVE numbers CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102 on May 12. Patches were distributed through Microsoft's regular Patch Tuesday updates, with the exception of the PowerPoint for Android vulnerability (CVE-2026-41102), which was fixed and pushed directly to the Google Play Store on the same day.

While Android users are now protected, provided they have updated their applications, the incident highlights a critical lapse in development and quality assurance processes. "But the important part is this: a development setting reached production in several major apps and changed the behavior of a system protecting account access. That should be hard to do by accident. Here, it was not hard enough," Tsarimi concluded, underscoring the need for more robust checks to prevent debug configurations from inadvertently reaching production environments.

The vulnerability, dubbed FlagLeft, was present in a shared Microsoft SDK and affected Word, Excel, PowerPoint, Copilot, Loop, and OneNote on Android, impacting billions of users. While the initial report focused on the general flaw, this article provides specific CVEs assigned by Microsoft, including CVE-2026-41100 for Copilot, CVE-2026-41101 for Word, and CVE-2026-41102 for PowerPoint, detailing their respective CVSS scores and the CWE classification of Improper Access Control.

The vulnerability, discovered by Enclave, stemmed from a debug setting mistakenly left enabled in production releases of six Microsoft 365 Android apps, including Word, Excel, and PowerPoint. This error disabled a critical security control that prevented other applications from illicitly obtaining authentication tokens, potentially exposing millions of users to account takeover and sensitive data theft. Microsoft has since issued updates and multiple CVEs for the flaws, including CVE-2026-41100, CVE-2026-41101, CVE-2026-42832, and CVE-2026-41102.

This new report details the specific mechanism of the vulnerability, dubbed FlagLeft by researchers, which was caused by a single line of debug code (setIsDebugMode(true)) left in a shared Microsoft SDK. This flaw affected six Microsoft 365 apps: Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, with Microsoft assigning four CVEs (CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, CVE-2026-42832) to Copilot, Word, PowerPoint, and Excel respectively. While the vulnerability was patched in May, the report notes that the FOCI refresh tokens remain valid even after an app update, meaning affected accounts may need to have their tokens revoked and be forced to re-authenticate.

Synthesized by Vypr AI