Coding Mistake Left Six Microsoft 365 Android Apps Vulnerable to Account Takeover

Exposed debug setting in Microsoft Android apps risked account security by disabling token checks. Patch now available for affected apps.

By Content Team

Jun 4, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A debug setting accidentally left enabled in production releases of six Microsoft Android apps — Word, Excel, PowerPoint, OneNote, Loop, and 365 Copilot — exposed users to potential account takeover at massive scale. Researchers at Enclave found the flaw disabled a security check that prevents untrusted apps from grabbing Microsoft authentication tokens.

Any malicious Android app could silently request and receive login tokens, giving attackers access to emails, Teams messages, and files. Worse, the stolen tokens were long-lived FOCI tokens that blend in with normal traffic, making detection nearly impossible. Microsoft has since patched all six apps across CVEs CVE-2026-41100 through CVE-2026-42832.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

eScan Antivirus Hit by Supply Chain Attack, Delivers Malware to Users

Jan 31, 2026

Nearly 1 Million User Records Compromised in Figure Data Breach

Feb 19, 2026

Frustrated Researcher Leaks Windows Zero-Day Exploit After Microsoft Response Issues

Apr 10, 2026

Southampton School Closes Four Days After Ransomware Attack

Mar 29, 2026