Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag
Summary
A critical security flaw has been discovered in Microsoft 365 Android applications, where a leftover debug flag allows any app on a device to steal account tokens. This vulnerability bypasses standard authentication checks, enabling malicious apps to access sensitive user data like emails, files, and calendars without requiring credentials or user consent.
IFF Assessment
This vulnerability allows any application to gain unauthorized access to sensitive user data, posing a significant risk to individuals and organizations.
Severity
This vulnerability has a high attack vector (network and local), high attack complexity (low), and high impact across Confidentiality, Integrity, and Availability due to its ability to grant full account access without user interaction.
Defender Context
Defenders should be aware of this vulnerability and encourage users to update their Microsoft 365 Android applications immediately. Organizations should consider implementing stricter app vetting processes and user education on the risks of installing untrusted applications, as this flaw could be exploited by malicious actors to gain unauthorized access to sensitive corporate data.