FILTERING BY: CLEAR FILTER

Microsoft Android Apps: Token Exposure via Manifest Misconfiguration

A production misconfiguration in six Microsoft 365 Android applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—exposed billions of installations to unauthorized Microsoft account (MSA) token theft. The vulnerability stemmed from a debug flag, IsDebugMode(true), erroneously shipped in production binaries. This setting disabled critical isolation mechanisms designed to restrict OAuth 2.0 tokens to authorized Microsoft applications, allowing malicious third-party apps on the same device to intercept sensitive tokens via Android Inter-Process Communication (IPC) and Intents. Successful exploitation enables full Account Takeover (ATO), bypassing authentication boundaries to grant unauthorized access to sensitive cloud data, including Outlook emails and OneDrive documents.


LINK COPIED TO CLIPBOARD