A newly found vulnerability in Microsoft Authenticator might expose delicate login codes to malicious apps on the identical machine, elevating considerations in regards to the safety of some of the extensively used multi-factor authentication instruments.
A vulnerability tracked as CVE-2026-26123 impacts the Microsoft Authenticator app on each Android and iOS gadgets. In keeping with safety experiences, the flaw might enable a malicious software put in on the identical cellphone to intercept authentication info similar to one-time login codes or particular sign-in hyperlinks.
With greater than 75 million customers worldwide, Microsoft Authenticator is extensively used to offer multi-factor authentication (MFA) for Microsoft and third-party companies. The app generates short-term login codes and likewise processes QR-based sign-ins and authentication hyperlinks.
Safety researchers say the vulnerability facilities on deep hyperlinks, that are specifically designed hyperlinks that open a selected perform inside a cell app and are sometimes used to finish sign-in actions.
How the assault might occur
Specialists say the flaw can’t be exploited remotely. As an alternative, a sufferer would first want to put in a malicious software on their machine after which unintentionally choose that app to deal with an authentication deep hyperlink.
If that happens, the malicious software program might obtain the login code or sign-in information supposed for Microsoft Authenticator. An attacker might then probably use that info to entry companies protected by the app.
If exploited efficiently, attackers might:
- Full login processes that depend on Microsoft Authenticator codes
- Entry information tied to the compromised account, similar to emails, information, or cloud companies
- Doubtlessly transfer on to different accounts protected by the identical machine’s authentication codes
Patch already obtainable
Safety researchers say the vulnerability has already been fastened in latest variations of the app. Customers are due to this fact inspired to put in the newest replace as quickly as doable.
On iOS gadgets, customers can replace apps via the Apple App Retailer, whereas Android customers can set up updates by way of the Google Play Retailer.
If rapid updating just isn’t doable, specialists suggest avoiding the set up of unfamiliar apps that request entry to authentication hyperlinks or QR-based login prompts. Customers also needs to double-check that sign-in hyperlinks open in trusted apps similar to Microsoft Authenticator.
Extra safety adjustments coming
Individually, Microsoft is making ready one other safety improve for enterprise customers. The corporate plans to limit using Microsoft Authenticator on telephones which have been jailbroken or rooted, which removes built-in working system protections.
The transfer will roll out regularly for organizations utilizing Microsoft Entra identification companies. In keeping with experiences, the replace will first warn customers working modified gadgets, then block authentication options and take away saved account information if the machine stays compromised.
The Android rollout started in late February 2026 and is anticipated to conclude by mid-2026, whereas the iOS rollout will begin in April and end across the similar timeframe.
For extra safety information, learn how a vulnerability within the Ally WordPress plugin might put over 400,000 web sites in danger.
