Overview A critical flaw dubbed FlagLeft exposed billions of Android users to silent Microsoft account token theft across six major Microsoft 365 apps — Word, PowerPoint, Excel, Copilot, Loop, and OneNote.
Researchers at Enclave and Ofek Levin discovered that a single forgotten debug flag left active in production (setIsDebugMode(true)) disabled the authorization gate that normally restricts token sharing between trusted Microsoft apps. This oversight allowed any third‑party app on the same device to request and receive valid Microsoft account tokens without user interaction or consent.
Vulnerability Mechanism
The flaw originated in a shared Microsoft SDK, propagating across all six apps simultaneously.
| Stage | Component | Impact |
|---|---|---|
| Debug Flag Enabled | setIsDebugMode(true) left active | Disabled trust verification |
| FOCI Token Sharing | Family of Client IDs (FOCI) | Allowed seamless single sign‑on across apps |
| Authorization Bypass | Missing gate in SDK | Any app could request tokens |
| Silent Token Theft | No login prompt or alert | Tokens handed to untrusted apps |
| Account Takeover | Long‑lived, refreshable tokens | Full access to user data and services |
With debug mode active, co‑installed apps could silently obtain FOCI tokens, granting access to emails, OneDrive files, messages, and calendar data under the victim’s identity.
Technical Details
Microsoft 365 apps rely on FOCI (Family of Client IDs) to enable single sign‑on across the suite. Normally, only trusted Microsoft apps can exchange tokens. However, the debug flag bypassed this trust check, collapsing the entire authentication model.
Affected apps:
- Word for Android — CVE‑2026‑41101 (High, 7.1)
- PowerPoint for Android — CVE‑2026‑41102 (High, 7.1)
- Excel for Android — CVE pending
- Microsoft 365 Copilot for Android — CVE‑2026‑41100 (Medium, 4.4)
- Microsoft Loop for Android — CVE pending
- OneNote for Android — CVE pending
Microsoft Teams was unaffected — its debug flag was correctly set to false.
All vulnerabilities fall under CWE‑284 (Improper Access Control), published May 12, 2026.
Impact and Remediation
The combined installs of the six affected apps span billions of Android devices worldwide. Every signed‑in user was potentially exposed to silent token theft by any co‑installed app, with no visible indicator of compromise.
Microsoft has patched all six apps. Users should:
- Update Microsoft 365 apps to the latest Android versions immediately.
- Audit OAuth token activity in Microsoft Defender for Cloud Apps for anomalies.
- Verify MDM deployment across managed devices.
- Rotate tokens and re‑authenticate for all affected accounts.
Expert in the Cloud Insight
The FlagLeft incident demonstrates how a single boolean flag can unravel an entire authentication trust model when it escapes into production. The flaw wasn’t in the FOCI design, but in the missing gate that controlled access to it.
Leave a Reply