# Critical Microsoft 365 Android Flaw Left a Debug Flag in Production — Any App Could Steal Your Account Token > A development flag accidentally left active in Microsoft 365 Android apps allowed any app on the same device to steal account tokens — giving attackers access to email, files, and calendar without any user interaction. **URL:** https://www.ciptadusa.com/blog/microsoft-365-android-security-flaw-flagleft **Type:** blog **Author:** Siswamedia Support **Category:** Application Security **Published:** 2026-06-04 **Cover:** https://siswamedia.956b5d8140adc59dc07609d34e6498a2.r2.cloudflarestorage.com/cds-blog/microsoft-365-android-security-flaw-2026.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=b696964eb75da8c7ce530d8ed59bace5%2F20260604%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20260604T010322Z&X-Amz-Expires=300&X-Amz-Signature=edefcd4242480dca236df2a6ce51d1e556a195e3e7be5fb0501f9f3b1d28465e&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject ## Article ## What Happened A development flag—incorrectly left active in production builds of several Microsoft 365 Android apps—disabled the token-sharing verification check that normally restricts account access to trusted Microsoft apps. The bug, dubbed **FlagLeft** by security researchers at Enclave, affected: - **Word** - **PowerPoint** - **Excel** - **Microsoft 365 Copilot** - **Microsoft Loop** - **OneNote** These six apps collectively have **billions of downloads**. Teams was unaffected because it shipped with the flag set to `false`—which Enclave reads as a slip, not a design choice. ## How the Attack Would Work 1. User has a vulnerable Microsoft 365 app installed (e.g., Word) 2. Attacker creates a malicious app and installs it on the same Android device 3. The malicious app requests the signed-in user's Microsoft 365 token 4. Because the development flag disabled verification, the token is handed over — **no password, no login screen, no permission prompt** 5. Attacker can now read email, open files, browse calendar, and send messages as the victim Microsoft's own account-token sharing architecture is designed to let users sign in once and have that session carry across Microsoft apps — but FlagLeft broke the "trusted app" verification that was supposed to enforce that boundary. ## What Microsoft Did Microsoft has since **patched the vulnerability**. Users running Microsoft 365 apps on Android are advised to **update immediately**. ## What Makes This Interesting for Engineering Teams - **Development flags in production are a classic cause of security regressions.** The flag was likely used during internal testing and accidentally shipped in release builds. This is a reminder of why debug/dev flags should never make it into production code — or at minimum, should be stripped at build time. - **Token-based authentication across app suites is inherently risky.** When one app's session grants access to another app's data, a single flaw in the authentication layer can unlock the entire suite. - **The fix was straightforward in principle — flip the flag — but the exposure window mattered.** Any app on the same device could exploit this, no user interaction required. ## Key Takeaways - Review your own codebase for leftover development flags or debug configurations that made it into production builds - Audit your app's token-sharing logic if you implement cross-app SSO patterns - Ensure mobile app builds strip debug flags and testing configurations before release ## Sources - [The Hacker News — Microsoft 365 Android Apps Let Any App Steal Account Tokens](https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html) - [Enclave Security — FlagLeft Vulnerability Report](https://enclave.io) - [BleepingComputer — Microsoft 365 Android Security Coverage](https://www.bleepingcomputer.com) --- *Markdown version of https://www.ciptadusa.com/blog/microsoft-365-android-security-flaw-flagleft — generated for AI agents and LLM crawlers.*