Microsoft 365 Android Apps Token Flaw Enables Silent Credential Harvesting Across Installed Apps
What Happened – A debug flag that should have been disabled was discovered in six Microsoft 365 Android applications. The flag lets any other app on the same device request OAuth access tokens for the logged‑in Microsoft 365 account without prompting the user.
Why It Matters for TPRM –
- The flaw can be weaponised by malicious or compromised apps to obtain enterprise credentials silently.
- Token abuse may lead to data exfiltration from Office 365 services (email, SharePoint, Teams) without the knowledge of the primary user.
- Organizations that rely on Microsoft 365 for critical business functions must verify that their mobile device management (MDM) controls can detect and remediate the vulnerable app versions.
Who Is Affected – Enterprises, government agencies, educational institutions, and any organization that permits employees to use Microsoft 365 Android apps on corporate‑managed or BYOD devices.
Recommended Actions –
- Verify that all Microsoft 365 Android apps are updated to the latest versions where the debug flag is removed.
- Enforce MDM policies that block installation of unapproved Android apps and monitor for token‑request APIs.
- Revoke and re‑issue OAuth refresh tokens for users who may have been exposed.
- Conduct a token‑usage audit in Azure AD sign‑in logs for anomalous activity.
Technical Notes – The vulnerability stems from a leftover debug flag (android:debuggable=true) in the app manifest, allowing inter‑process token requests via the Microsoft Authentication Library (MSAL). No public CVE has been assigned yet. Affected data includes any resources accessible through the compromised token (email, files, Teams chats, etc.). Source: TechRepublic Security