top of page

"FlagLeft" vulnerability in Microsoft 365 source code puts billions of Android users at risk of data exposure

  • 3 days ago
  • 3 min read

In the world of programming, a minor oversight can sometimes trigger large-scale security consequences. Recently, researchers discovered a critical vulnerability dubbed "FlagLeft" within the Microsoft 365 application ecosystem for the Android operating system. This issue threatens the information security of billions of users globally, paving the way for malicious applications to silently hijack account access without requiring any user interaction or permission.

Where does this vulnerability stem from?

According to technical analysis reports, the FlagLeft vulnerability stems from a rather rare oversight: the setIsDebugMode(true) test configuration flag was accidentally left in the official software versions released to users.

Normally, this code snippet is only activated internally during the application development and testing phases. However, when present in the production environment, it completely disabled the security barrier responsible for verifying application identity. Consequently, the system could not differentiate between genuine, secure Microsoft applications and malicious software residing on the same device, allowing the latter to easily bypass validation and request authentication tokens.

A rare oversight: The code completely disabled the security barrier responsible for verifying application identity
A rare oversight: The code completely disabled the security barrier responsible for verifying application identity

How was the single sign-on mechanism exploited?

The reason this vulnerability has such a widespread impact lies in a mechanism called FOCI (Family of Client IDs) integrated into Microsoft 365 on Android. This is a single sign-on (SSO) feature designed for user convenience. Thanks to FOCI, users only need to log in to their account once to seamlessly use a suite of ecosystem applications such as Word, Excel, PowerPoint, and OneNote without re-entering their password.

However, once the trust verification shield was disabled by the aforementioned misconfiguration, the FOCI mechanism inadvertently opened the door to threat actors. A malicious or fraudulent third-party application could send requests and receive valid tokens exactly like an authentic Microsoft application.

Risk of widespread data leaks across multiple applications

Experts assess the risk level of this vulnerability as critical. The hijacked tokens can automatically renew and remain valid for extended periods. Once in possession of these tokens, attackers can gain full authorization to read emails, view files stored on OneDrive, check calendars, and access various other sensitive personal data linked to the victim's Microsoft account. More concerningly, because these access requests utilize valid authentication tokens, the system struggles to detect anomalies, creating significant hurdles for security forensics and investigation.

Once hackers acquire the tokens, they gain full access to read emails, view files stored on OneDrive, or access other data linked to the victim's Microsoft account
Once hackers acquire the tokens, they gain full access to read emails, view files stored on OneDrive, or access other data linked to the victim's Microsoft account

The entity behind the discovery of FlagLeft - researchers from Enclave - stated that this flaw is not isolated to a single software. Instead, it originates from a shared Software Development Kit (SDK) utilized across multiple Microsoft products. Consequently, a wide range of popular applications, including Microsoft Word, Excel, PowerPoint, OneNote, Loop, and even the Microsoft 365 Copilot virtual assistant on Android, are affected. Fortunately, the Microsoft Teams application remains unaffected due to the correct configuration of the debug flag prior to its release.

Remediation and expert recommendations

Immediately upon receiving the report, the Microsoft Security Response Center (MSRC) confirmed the vulnerability and urgently rolled out patches. Multiple Common Vulnerabilities and Exposures (CVE) identifiers have been assigned to individual applications, with the flaws in Word (CVE-2026-41101) and PowerPoint (CVE-2026-41102) classified as high severity.

Currently, the security updates are available on the Google Play Store. To ensure safety, individual users are strongly advised to immediately update Word, Excel, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot to their latest versions. For organizations and enterprises, system administrators should swiftly review and verify patch deployment across all corporate-managed devices, while closely monitoring OAuth authentication activities to promptly detect any signs of token abuse.

Affecting up to billions of Android devices, FlagLeft is considered one of the most severe access control incidents within the Microsoft 365 ecosystem in recent times. This incident serves as a clear testament to the inherent risks embedded in shared source code components (SDKs), where a single minor misconfiguration can trigger a domino effect, threatening the information security of a whole array of major tech products.

Reference: WhiteHat

Comments

40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
Logo-Zalo-Arc.webp
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ

Our Services

Solutions for SMEs

SOC 24/7

NOC 24/7

IT Support

Cloud Security

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page