Microsoft Android Apps: Token Exposure via Manifest Misconfiguration
A production misconfiguration in six Microsoft 365 Android applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—exposed billions of installations to unauthorized Microsoft account (MSA) token theft. The vulnerability stemmed from a debug flag, IsDebugMode(true), erroneously shipped in production binaries. This setting disabled critical isolation mechanisms designed to restrict OAuth 2.0 tokens to authorized Microsoft applications, allowing malicious third-party apps on the same device to intercept sensitive tokens via Android Inter-Process Communication (IPC) and Intents. Successful exploitation enables full Account Takeover (ATO), bypassing authentication boundaries to grant unauthorized access to sensitive cloud data, including Outlook emails and OneDrive documents.
Zapocalypse: Multi-Stage Account Takeover Exploit in Zapier
The "Zapocalypse" exploit is a critical privilege escalation chain targeting Zapier’s "Code by Zapier" Python execution feature. Threat actors leverage the intended functionality of the Python sandboxed environment to abuse platform primitives, allowing them to escape the restricted execution context and achieve full Account Takeover (ATO). This logic-based exploit enables attackers to hijack user sessions and subsequently compromise every third-party SaaS application integrated via API into the affected Zapier account. Zapier has since deployed a patch to remediate the vulnerability.