TechBooky AI Assistant
TechBooky AI Assistant
👋 Welcome to TechBooky AI Assistant

I can help with:
🔎 Tech News
🤖 AI Topics
💻 Gadgets
☁️ Cloud
✍️ Guest Posts
📢 Advertising
🔗 Backlinks
📩 Newsletter
  • AI Search
  • Cryptocurrency
  • Earnings
  • Enterprise
  • About TechBooky
  • Submit Article
  • Advertise Here
  • Contact Us
TechBooky
  • African
  • AI
  • Metaverse
  • Gadgets
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
  • African
  • AI
  • Metaverse
  • Gadgets
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
TechBooky
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Home General App

Critical Vulnerability In Microsoft Authenticator Exposes Users To Token Theft

Akinola Ajibola by Akinola Ajibola
May 19, 2026
in App, Security
Share on FacebookShare on Twitter

An important and serious security flaw in Microsoft’s Authenticator has now been discovered to allow hackers to steal sign-in tokens and gain unauthorised access to resources; however, there are now new apps available.

Microsoft addresses the problem in general in their vulnerability entry. Because Microsoft Authenticator exposes information to attackers through the network, which may leak sensitive data, it may end up in the hands of unauthorized actors. Microsoft clarifies in the FAQ that the vulnerability may make the sign-in token for users’ work accounts public. This makes it possible for unauthorized people to access services and data that the user account is authorized to access, maybe including private company data.

Attackers must fool a victim into responding to a malicious request that appears authentic in order to take advantage of the vulnerability. Attackers can deceive the app into requesting access tokens on the users’ behalf and delivering them to a service under their control once users approve the request. Users that are impacted are not informed clearly about the type of access that has been provided (CVE-2026-41615, CVSS 9.6, risk “critical”). Nevertheless, NIST’s NVD entry only uses CVSS 7.4 to assign a risk of “high.”

Microsoft’s Authenticator has been updated and is accessible through the corresponding app stores. Software versions 6.8.47 and later on iOS fix the problem, while versions 6.2605.2973 and higher on Android do.

The update will be sent automatically to users whose mobile operating system has enabled automatic app updates. The updated apps must be downloaded and installed from the Google Play Store or the iOS App Store for users who have disabled this.

Microsoft goes on to say that no exploits have yet been made of the issue. As of yet, no exploit is accessible to the general public. However, users using Microsoft Authenticator should make sure that the version they are using is up to date. The current version is shown by the Authenticator in the app menu under “Help” and then further down under “About” under “Application version.” 

The attack also exploits an unclaimed deep link protocol (ms-msa://) by tricking a user into downloading a malicious app, which intercepts authentication requests during a legitimate sign-in, and then it further manipulates Microsoft Authenticator into delivering session tokens to an attacker-controlled server. Once the tokens are stolen, the attacker bypasses passwords and MFA entirely, enabling actions such as password resets, removal of legitimate authentication methods, and registration of their own devices for persistent access, as demonstrated by threat groups like Storm-2949.

To address this critical flaw, users are immediately to do a quick update of Microsoft Authenticator to the latest version on all devices, enforce device-bound token protection in Microsoft Entra ID to cryptographically bind tokens to trusted hardware, rejecting any replayed from unauthorized devices, and shift high-risk users to phishing-resistant MFA like FIDO2 passkeys. Additionally, configure security monitoring to flag new device enrolments or MFA updates as high-risk alerts, enabling rapid response to any attempted tenant takeover.

Related Posts:

  • 020tYFWBL4Yz8jIIFUdKDR1-22
    A Fix to Microsoft Windows Defender And Security Flaws
  • csm_1200x630wa_5026e9630c
    Microsoft Pushes Edge & Disables Authenticator Autofill
  • ms authenticator 3
    Microsoft Authenticator Blocks Rooted and Jailbroken Devices
  • Announcing-the-new-admin-center-1c
    Microsoft 365 Admin Center Logins Will Require MFA
  • Proton-Launches-Cross-Platform-Authenticator-App-with-Secure-Sync
    Proton Launch A New 2FA App
  • microsoft_account_changename
    Microsoft Requires Account Sign-In Starting February
  • microsoft_exchange-blue2
    Exchange Vulnerability Turns OWA Into Script-Launching Tool
  • bluehammer-will-dormann
    BlueHammer Windows Exploit Exposes Microsoft Bug…

Discover more from TechBooky

Subscribe to get the latest posts sent to your email.

Tags: Microsoft Authenticatorsecurityvulnerability
Akinola Ajibola

Akinola Ajibola

BROWSE BY CATEGORIES

Receive top tech news directly in your inbox

subscription from
Loading

Freshly Squeezed

  • Meta Is Becoming a Cloud Computing Company July 2, 2026
  • Z.ai Unveils ZCode, an “Agentic” AI Coding Environment Built Around GLM-5.2 July 2, 2026
  • Tesla’s Vehicle Deliveries Are Growing Again, But Wall Street Is Looking Beyond EV Sales July 2, 2026
  • Google Loses Final Android Antitrust Appeal as EU Upholds €4.1 Billion Fine July 2, 2026
  • Discord Launches Native App for Meta Quest VR Headsets July 1, 2026
  • Fable 5 Is Back: Anthropic’s Most Powerful AI Returns After U.S. Government Ban July 1, 2026
  • Google’s Gemini Can Now Take Notes For You In Google Meet June 30, 2026
  • Cursor Brings Its AI Coding Agents to Mobile With New App June 30, 2026
  • TIDAL Moves to Block Payouts for Fully AI‑Generated Music June 30, 2026
  • OpenClaw Brings Its Agentic AI Apps to iOS and Android June 30, 2026
  • New Data Shows Heavy AI Users Are Hiring More Especially at Entry Level June 30, 2026
  • Report: Google Put Limits on Meta’s Heavy Gemini Usage After Token Surge June 29, 2026

Browse Archives

July 2026
MTWTFSS
 12345
6789101112
13141516171819
20212223242526
2728293031 
« Jun    

Quick Links

  • About TechBooky
  • Advertise Here
  • Contact us
  • Submit Article
  • Privacy Policy
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
  • African
  • Artificial Intelligence
  • Gadgets
  • Metaverse
  • Tips
  • AI Search
  • About TechBooky
  • Advertise Here
  • Submit Article
  • Contact us

© 2025 Designed By TechBooky Elite

Discover more from TechBooky

Subscribe now to keep reading and get access to the full archive.

Continue reading

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.