Microsoft Authenticator Could Leak Login Codes—Update Your App Now

Microsoft Authenticator’s deep‑link handling was found to inadvertently pass one‑time codes to any app registered for the same URI scheme. By crafting a malicious application that declares itself capable of processing these links, an attacker can capture the authentication token when a user clicks a sign‑in link. The vulnerability hinges on user behavior—installing an untrusted app and selecting it as the link handler—yet the technical flaw resides in insufficient validation of the calling app, exposing a critical attack surface in a widely deployed MFA tool.

Enterprises that endorse Bring‑Your‑Own‑Device policies are particularly exposed. Authenticator codes often protect access to email, cloud storage, and production systems; a compromised code can enable lateral movement across linked accounts. The risk amplifies when employees rely solely on the app for MFA, assuming its isolation from other mobile software. This incident underscores the need for layered security controls, such as mobile threat detection, app‑whitelisting, and continuous monitoring of authentication anomalies, to mitigate the impact of compromised devices.

Microsoft’s response—embedding the fix in the latest app releases—highlights the importance of rapid patch adoption. Users should update via the App Store or Google Play without delay, and temporarily avoid installing new apps that request authentication‑link handling. Organizations can reinforce security by encouraging alternative MFA methods, like hardware tokens or built‑in platform authenticators, until all devices are patched. The episode serves as a reminder that even trusted security utilities can become vectors if their integration points are not rigorously guarded.