Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag
The Hacker News reports that several Microsoft 365 Android apps shipped with a development flag enabled in production builds. This flag disables the verification that limits account-token sharing to trusted Microsoft applications. As a result, any other app installed on the same phone can request and receive the signed-in user's authentication token. With that token, the malicious app can read emails, open files, browse the calendar, and send messages on behalf of the user—all without requiring a password, login screen, or permission prompt. The vulnerability affects multiple Microsoft 365 apps, though the exact list was not specified in the excerpt. The issue stems from a leftover debug configuration that was not removed before release, highlighting a lapse in secure build practices. Users are advised to review app permissions and monitor for unusual activity until Microsoft releases a fix.
Any app can steal Microsoft 365 tokens, compromising user data without user interaction.