Microsoft Android Apps Vulnerable to Token Theft via Debug Flag Flaw
A single line of debug code left in six Microsoft 365 Android apps could have exposed billions of app downloads to unauthorized access to Microsoft account tokens.
Six widely used Microsoft 365 Android applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—harbored a critical vulnerability stemming from a single line of debug code left in their production builds. This oversight, specifically the IsDebugMode(true) flag, inadvertently disabled security measures designed to protect user authentication tokens, potentially putting billions of app downloads at risk.
The vulnerability was discovered by Enclave, an AI-powered exploitable bug hunter, and shared exclusively with SecurityWeek. The debug flag altered the application's behavior concerning account access token sharing. Normally, Microsoft's apps are designed to securely pass authentication tokens between authorized Microsoft applications on the same device without requiring repeated user logins. However, the enabled debug mode bypassed the intended restriction, allowing any malicious Android application to request and receive these sensitive Microsoft account tokens.
Exploiting this flaw required minimal effort from an attacker. A malicious app or code snippet, as short as 15 lines, could be developed to request Microsoft app access. The primary challenge for attackers would be distributing such an app to a large number of Android devices. Once installed, the malicious code could stealthily request tokens from affected Microsoft apps, receive them, and exfiltrate them back to the attacker without the user's knowledge.
"The attacker could just write a snippet that is 15 lines of code. It just seeks access to the MS app and is given the token," explained Yanir Tsarimi, co-founder and CPO at Enclave. "It doesn’t get any simpler than that, because it’s just a feature that is supposed to be there." The core issue was not the token-sharing mechanism itself, but the accidental enabling of a debug setting that removed the crucial restriction to only other Microsoft apps.
The potential impact of this vulnerability is significant. The stolen Microsoft FOCI tokens could be reused and refreshed over extended periods, granting attackers prolonged access. "Any attacker-controlled app could gain full access to Microsoft account data exposed through the affected app context," warned Enclave. This could include sensitive data such as emails, files, documents, communications, and calendar information, enabling attackers to read, modify, or even send communications on behalf of the compromised user.
Enclave promptly reported the findings to Microsoft, which confirmed and addressed the vulnerabilities. Microsoft issued CVE numbers CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102 on May 12. Patches were distributed through Microsoft's regular Patch Tuesday updates, with the exception of the PowerPoint for Android vulnerability (CVE-2026-41102), which was fixed and pushed directly to the Google Play Store on the same day.
While Android users are now protected, provided they have updated their applications, the incident highlights a critical lapse in development and quality assurance processes. "But the important part is this: a development setting reached production in several major apps and changed the behavior of a system protecting account access. That should be hard to do by accident. Here, it was not hard enough," Tsarimi concluded, underscoring the need for more robust checks to prevent debug configurations from inadvertently reaching production environments.