Daily Tech News, Interviews, Reviews and Updates

New vulnerability has been found in Microsoft Authenticator for both iOS and Android; Could leak your sign-in codes or authentication deep links to a malicious app

Security
By Estuti Bajpai

Microsoft Authenticator is a mobile app that generates time-based one-time codes and handles sign-in links and QR-based logins for Microsoft and other accounts. It is widely used for multi-factor authentication on personal phones, including BYOD (Bring Your Own Device) devices.

Yesterday, it was revealed that a new vulnerability was found in the app for both iOS and Android (CVE-2026-26123) that could leak your one-time sign-in codes or authentication deep links (specifically constructed links used to open an app and complete actions like signing in) to a malicious app on the same device.

Android or iOS users who have installed this app on their device could be affected by this vulnerability.

How could the vulnerability be exploited?

For the vulnerability to be exploited, the user would first need to install a malicious app on their device and then accidentally choose that app to handle a sign-in deep link. If this happens, the malicious app receives the one-time code or sign-in information and can potentially use it to authenticate as the victim.

With this, the attacker could complete login flows to services that trust your Microsoft Authenticator codes, access the information and services available to the compromised account or potentially pivot to additional accounts if those are protected by codes delivered via Authenticator on the same device.

Solution for this vulnerability?

The fix for CVE-2026-26123 is already included in the current releases, so if you have the Microsoft Authenticator app, you are advised to update your app.

On iOS

  • Open the App Store
  • Tap the My Account button or your photo at the top of the screen
  • Scroll down to see pending updates and release notes
  • Tap Update next to an app to update only that app, or tap Update All

On Android

  • Open the Google Play Store app
  • At the top right, tap the profile icon
  • Tap Manage apps & device
  • Under “Updates available,” tap See details
  • Next to the app you want to update, tap Update

If you are temporarily unable to update the app, avoid installing new apps that request to handle authentication links, QR-based sign-ins, or web-to-app sign-in flows. When scanning QR codes or tapping sign-in links, verify that the handler is Microsoft Authenticator or another trusted app. Also, where possible, use trusted alternative MFA options until you can apply the update.

Get real time updates directly on you device, subscribe now.

Estuti Bajpai 5602 posts

Journalism student currently pursuing Masters in mass communication and Journalism from Chandigarh University. Well versed in public communication. Looking for an opportunity in the field of journalism to gain knowledge and use my journalism skills efficiently.

You might also like
Security

Brave v1.88.130 Fixes Chromium Vulnerabilities on Desktop and Android; iOS Not…

Security

Security researchers discovered a vulnerability in MediaTek-powered Android phones;…

Telecom

BSNL introduces new Kavach number feature to recharge offline without sharing your…

Security

Signal Confirms Phishing Attacks Targeting Accounts of Government Officials and…