Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.

The article reports that a debug flag (setIsDebugMode(true)) was mistakenly left enabled in a shared Microsoft SDK used by multiple Microsoft 365 Android apps, disabling the trust check that should restrict account-token sharing to trusted Microsoft apps.[1] This allowed any other app on the same device to silently request and receive long-lived Microsoft account tokens, enabling reading mail, accessing files, viewing calendars, and sending messages as the user without passwords, prompts, or visible indicators.[1][2] From a CyberSE.AI perspective, this illustrates an AI/ML and SaaS supply-chain risk pattern: a single misconfigured flag in a shared SDK or component can undermine core authentication and trust assumptions across many apps, including those embedding AI assistants like Microsoft 365 Copilot.[1] Organizations integrating third-party or shared SDKs into AI-enabled applications should implement rigorous SBOM-based dependency tracking, security gating for debug/feature flags, and continuous review of identity and token flows—areas where CyberSE.AI’s AI Supply Chain & SBOM Advisory can help design controls to prevent similar systemic authentication failures.