Microsoft has fixed a flaw in Authenticator after researchers flagged risky app-link handling. On both mobile platforms, this mobile authentication bug could hand sensitive sign-in details to another installed app.
The weakness did not let outsiders break in, yet a rogue app on the same device might exploit a tap. That leaves one-time passcodes or login links sitting where they should not. With the patch live, an app security update from the App Store or Google Play closes that gap during what looks like a normal tap.
How the Microsoft Authenticator flaw can expose one-time codes and sign-in links
Microsoft says the flaw affects how Authenticator opens some login requests on iOS and Android. In certain cases, flawed sign-in URI handling can send a code or sign-in link to another app on the phone instead of keeping it inside Authenticator.
That can happen during email links, browser prompts, or a QR-based login. If a second app claims the same route, deep link hijacking may expose leaked authentication codes, giving an attacker a short window to reuse the login flow before it closes on the device for the signed-in account.
Why a malicious app on the same phone could turn this bug into account access
The weakness turns serious when another product on the same handset can receive that data first. After a malicious app install, the wrong app may answer the login prompt and enable MFA code interception without breaking into Microsoft Authenticator or the Microsoft account directly.
From there, a captured code or sign-in link may let an attacker finish the session and reach mail, files, or work services. That is why Microsoft ties the flaw to account takeover risk, a sharper concern on phones used for BYOD device security inside companies or schools and agencies today.
What users should update and check on iOS and Android right away
Microsoft says patched builds are available, so the first step is to open Authenticator’s store page on your phone. Check for an App Store update on iPhone or a Google Play update on Android, then confirm the latest version is installed before your next login attempt.
While updating, review which app opens authentication links and avoid unknown software that asks to handle them. If a chooser appears, make sure the trusted link handler is Microsoft Authenticator, and keep mobile anti-malware active to flag suspicious installs on iOS or Android before they run in the background.
