Microsoft has released a major security update for its Authenticator app after discovering a critical vulnerability that could allow attackers to steal sign-in access tokens from users. The flaw affects both Android and iOS versions of the app and could potentially grant unauthorised access to company accounts, cloud services, and sensitive organisational data.
According to the company, the vulnerability could expose sign-in tokens tied to users’ work accounts. If attackers obtain these tokens, they may be able to access the same services and data that the affected user is authorised to use.
Microsoft says the flaw has not been actively exploited so far, and there are currently no publicly known exploits available. Even so, Microsoft is urging users to update the app immediately.
How The Attack Works
Microsoft explains that attackers would first need to trick users into interacting with what appears to be a legitimate authentication request. Once the victim approves the request, the attackers could manipulate the app into generating an access token on the user’s behalf and sending it to a server controlled by the attacker.
The company also notes that affected users may not receive sufficiently clear information about what permissions or access they are granting during the process. This could make the attack harder for ordinary users to detect.
Microsoft classified the vulnerability as “critical”, with the issue reportedly capable of affecting systems outside the direct security scope of the vulnerable component itself. In practice, this means a compromised authentication token could potentially provide access to additional services managed by separate systems or organisations.
Updated Versions Now Available
Microsoft has already released patched versions of the Authenticator app through the respective app stores. On Android, users should update to version 6.2605.2973 or newer, while iPhone users should install version 6.8.47 or later.
Users with automatic app updates enabled should receive the fix automatically. Those who have disabled automatic updates will need to manually update the app through the Google Play Store or Apple App Store.
(Source: Microsoft Security Response Centre)
