Conditional-Access

🔴 Critical | Source: The Hacker News A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled a security check that restricts account token sharing to trusted Microsoft applications. As a result, any app installed on the same Android device could silently request and receive the signed-in user’s authentication token, granting full access to email, files, calendar, and the ability to send messages on their behalf. No user interaction, credentials, or elevated permissions were required to exploit this. ...

🔴 Critical | Source: The Hacker News A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled the trust check that normally restricts account-token sharing to authorised Microsoft applications. As a result, any app installed on the same Android device could silently request and receive a valid authentication token, granting full access to the victim’s email, files, calendar, and messaging without any user interaction or additional permissions. The flaw affects any user running a vulnerable Microsoft 365 Android app while also having a malicious or compromised app on the same device. ...