Protect.Computer
NEWS

Microsoft Authenticator flaw (CVE-2026-26123) can leak sign-in codes

· 1 min read · Identity theft Device safety
Microsoft Authenticator flaw (CVE-2026-26123) can leak sign-in codes

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

A medium-severity vulnerability in Microsoft Authenticator, CVE-2026-26123, can let a malicious app on the same phone capture authentication deep links and potentially expose one-time sign-in data.

The issue affects Microsoft Authenticator on Android and iOS and requires local user interaction (for example, choosing the wrong app handler for an authentication deep link).

Why this matters

Authenticator apps are part of your account recovery and multi-factor login flow. If attackers can intercept authentication links or codes on a compromised phone, they may be able to:

  1. Complete sign-ins to accounts protected by Authenticator.
  2. Bypass expected MFA friction during phishing-style login attempts.
  3. Reuse access to pivot into email, cloud storage, or workplace apps.

What to do right now

  1. Update Microsoft Authenticator from the App Store / Google Play immediately.
  2. Remove unknown or recently installed apps that requested unusual permissions.
  3. Review account sign-in history for unfamiliar devices and locations.
  4. Revoke active sessions and rotate passwords for sensitive accounts.
  5. Prefer phishing-resistant MFA where available (passkeys, hardware keys).

How to check if you’re affected

Affected services/devices:

  • Microsoft Authenticator on Android and iOS devices.
  • Higher risk if your phone has untrusted apps installed that can register URL handlers.

Quick verification steps:

  1. Check app version now
    • Android: Play Store → Microsoft Authenticator → verify you are on the latest available build.
    • iOS: App Store → Microsoft Authenticator → verify you are on the latest available build.
  2. Confirm recent unusual prompts
    • If you recently saw prompts asking which app should open a sign-in/auth link, treat as suspicious.
  3. Audit account activity
    • In your Microsoft account and connected services, review recent sign-ins for unknown IPs/devices.
  4. Contain if suspicious
    • Remove untrusted apps, force sign-out everywhere, and re-enroll MFA on a clean device.

Sources

Bottom line

This is not a remote wormable bug, but it is still dangerous for people with risky app hygiene. Patch Authenticator immediately and review sign-in activity for signs of token or code interception.

Related reading

News
Apple releases iOS 18.7.7 and iPadOS 18.7.7 security updates for older devices

Apple published iOS 18.7.7 and iPadOS 18.7.7 security updates for supported older iPhone/iPad models, including iPhone XR/XS-era devices through iPhone 16 models.

News
Microsoft Azure Monitor alerts abused in callback phishing campaigns

Attackers are abusing legitimate Azure Monitor alert emails to deliver callback phishing messages that pass SPF, DKIM, and DMARC checks.

News
Apple sends critical software alerts to outdated iPhones after web-attack activity

Apple is pushing lock-screen critical software alerts to users on older iOS/iPadOS versions due to active web-based attack risk.

News
Attackers abuse .arpa and IPv6 reverse DNS to evade phishing detection

Infoblox reports phishing actors abusing ip6.arpa reverse DNS and IPv6 tunnel allocations to bypass domain-reputation controls and deliver short-lived phishing chains.