HIGH
One Misconfigured Line Exposed Microsoft Account Tokens Across Billions of Android App Installs
Researchers discovered that a single development configuration setting in Microsoft’s Android apps bypassed platform protections designed to prevent unauthorized applications from accessing Microsoft account tokens. The misconfiguration exposed billions of app installations to potential token theft by any malicious Android app installed on the same device. Stolen tokens could be used to access email, OneDrive, and enterprise Microsoft services without credentials. Microsoft has since addressed the issue. The finding highlights how a single misconfigured SDK flag can create supply-chain-scale token exposure across an entire mobile app ecosystem.