Microsoft Authenticator Leak Lets Apps Sniff One‑Time Codes

Security researchers found that specific builds of Microsoft Authenticator unintentionally broadcast the generated one‑time password (OTP) to any app with permission to read the device’s clipboard or accessibility data. The flaw allowed unrelated applications on the same device to capture the six‑digit code before the user could paste it into the target service, effectively leaking the second factor.

The exposure could let malicious apps or compromised software harvest OTPs and bypass multi‑factor authentication, facilitating account takeover and lateral movement. Microsoft issued an emergency update to close the leak, and defenders must immediately verify that all endpoints run the patched version, enforce strict app‑permission policies, and monitor for anomalous authentication attempts that might indicate OTP harvesting.

Categories: Vulnerabilities & Exploits, Identity & Access Management

Source: Read original article