A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps.
Any other app on the same phone could ask for the signed-in user’s token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt….
Read the rest of the story at Read More
Source: The Hacker News
Recent News
Leave a Comment