Six Microsoft Android apps could hand Microsoft account tokens to unauthorized apps because a debug setting was left enabled in production code. SecurityWeek reports Enclave found the issue in Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote for Android; the flag bypassed checks meant to restrict token sharing to trusted Microsoft apps, allowing any installed app to request reusable FOCI tokens and potentially access account data. No CVE is cited in the report.
Why it matters: People and organizations using these Android apps could have had account access tokens silently stolen by another app on the same phone, potentially enabling long-lived account access. This is urgent for Microsoft mobile users and defenders: watch for Microsoft’s fix, review mobile app trust and update practices, and investigate suspicious Android apps on managed devices.
Kevin Townsend
2026.06.02
100% relevant
This article appears to be the first reporting on this specific Microsoft Android token-exposure flaw and establishes the underlying event.
← Back to all stories