Microsoft Authenticator Information Disclosure Vulnerability

A vulnerability in Microsoft Authenticator for iOS and Android allows unauthorized attackers to locally disclose information. This issue arises from improper authorization in handling custom URL schemes, enabling attackers to access one-time sign-in codes or authentication deep links. The vulnerability requires the user to have a malicious application installed and to inadvertently select it as the handler for sign-in links, such as those accessed via QR codes.

Impact

Exploitation of this vulnerability could lead to unauthorized access by allowing attackers to use intercepted sign-in codes or deep links to authenticate as the user, potentially gaining access to sensitive information or services associated with the user's account.

Remediation

Users can download the security update for Microsoft Authenticator for iOS or Android from the respective app stores. Instructions for applying the update are available in the Microsoft Knowledge Base.