Recent findings have revealed a significant security vulnerability within six Microsoft 365 Android applications, potentially jeopardizing billions of downloads. This alarming discovery was made by Enclave, an AI-driven bug hunting firm, and shared exclusively with SecurityWeek ahead of the public release of their research.
Details of the Vulnerability
The issue stems from a single debug flag that was inadvertently left active in the production code of Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote for Android. Specifically, the debug mode was enabled with the command set IsDebugMode(true). Notably, this oversight did not extend to other Microsoft applications, such as Teams, which remained unaffected.
The implications of such debug flags can vary widely. In this case, the debug mode altered the behavior concerning account access token sharing. According to Enclave, “With debug mode enabled, the protection that should have blocked untrusted apps from receiving tokens was skipped.” This means that while Microsoft intended to facilitate seamless transitions between its applications for authorized users, the flaw inadvertently allowed any Android app to request and receive access tokens.
Exploitation Potential
The ramifications of this vulnerability are profound. An attacker could easily craft a simple code snippet, as brief as 15 lines, to request access to Microsoft applications. This could be embedded in a separate app or a modified version of an existing Android application. The only prerequisite would be to distribute the malicious app widely across Android devices.
Yanir Tsarimi, co-founder and CPO at Enclave, elucidated the potential for exploitation: “Suppose you are a mobile device game developer with auto-update enabled and 10,000 users. You could write malicious code seeking access to the affected Microsoft apps and include it in an update. Once delivered, the update installs automatically, allowing the malicious code to stealthily request access to any Microsoft app on the user’s device, receiving the token and sending it back to the attacker.”
This scenario paints a troubling picture where users remain blissfully unaware of the breach, while the attacker gains unauthorized access to sensitive information. “The owner of the app can do whatever they want with those tokens,” Tsarimi added, highlighting the nature of this vulnerability as a supply chain attack, albeit from an unconventional angle.
Consequences and Remediation
The potential misuse of these tokens is extensive, as they are Microsoft FOCI tokens capable of being reused and refreshed over extended periods without detection. “Any attacker-controlled app could gain full access to Microsoft account data exposed through the affected app context,” Enclave warned. This access could encompass emails, files, documents, communications, and calendar information, enabling attackers to read sensitive data, modify documents, or send communications using the compromised tokens.
Upon discovering the vulnerabilities, Enclave promptly reported them to Microsoft, which quickly confirmed the issues. Microsoft addressed the flaws and issued CVE numbers CVE-2026-41100, -41101, and -41102 on May 12. Patches were distributed through the company’s Patch Tuesday mechanism, with the exception of CVE-41102, which was specifically fixed and released as a patched build on the Google Play Store on the same day.
As a result, Android users can now breathe a sigh of relief, provided they ensure their applications are up to date with the latest patches. Enclave concluded their report with a critical observation: “A development setting reached production in several major apps and changed the behavior of a system protecting account access. That should be hard to do by accident. Here, it was not hard enough.”
Related:
- New BTMOB Android Malware Enables Full Device Takeover
- Critical Remote Code Execution Vulnerability Patched in Android
- Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge
- Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users
