Microsoft Authenticator Vulnerability: A Threat to Your Account Security
A recently discovered vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could potentially leak your one-time sign-in codes or authentication deep links to a malicious app on the same device. Therefore, it’s essential to understand the risks and take immediate action to protect your accounts.
What are Deep Links and How Do They Work?
Deep links are predefined Uniform Resource Identifiers (URIs) that allow direct access to an activity in a web or mobile application when clicked. Meanwhile, they are specifically constructed links used to open an app and complete actions like signing in. For example, when you click on a deep link, it can open the Microsoft Authenticator app and initiate the sign-in process.
However, this vulnerability affects users who have Microsoft Authenticator installed on an iOS or Android device. Additionally, the user would need to install a malicious app on their device and then accidentally choose that app to handle a sign-in deep link. If that happens, the malicious app receives the one-time code or sign-in information and can potentially use it to authenticate as the victim.
Potential Risks and Consequences
If an attacker successfully exploits this vulnerability, they could complete login flows to services that trust your Microsoft Authenticator codes. Furthermore, they could access the information and services available to the compromised account, including email, files, cloud apps, or production systems in a BYOD context. Moreover, they could potentially pivot to additional accounts if those are also protected by codes delivered via Authenticator on the same device.
How to Stay Safe
The fix for CVE-2026-26123 is already included in current releases, so installing updates is the most effective mitigation. On iOS, you can update the app by opening the App Store, tapping the My Account button or your photo, and scrolling down to see pending updates. On Android, you can update the app by opening the Google Play Store app, tapping the profile icon, and selecting Manage apps & device.
Additionally, if you are temporarily unable to update the app, avoid installing new apps that request to handle authentication links, QR-based sign-ins, or web-to-app sign-in flows. When scanning QR codes or tapping sign-in links, verify that the handler is Microsoft Authenticator or another trusted app, and not an unknown, recently installed, or otherwise suspicious app.
Finally, consider using alternative MFA options you already trust, such as built-in authentication in your password manager or platform-specific solutions like Apple’s password features, until you can apply the update. Moreover, use anti-malware protection for your mobile devices that can help detect malicious apps.
Conclusion and Call to Action
In conclusion, the Microsoft Authenticator vulnerability is a significant threat to your account security. However, by taking immediate action and following the steps outlined above, you can protect your accounts and prevent potential risks. Therefore, download Malwarebytes for iOS and Malwarebytes for Android today to keep your mobile devices secure.
Frequently Asked Questions
- What is the Microsoft Authenticator vulnerability, and how does it affect me? The vulnerability (CVE-2026-26123) could leak your one-time sign-in codes or authentication deep links to a malicious app on the same device.
- How can I protect my accounts from the Microsoft Authenticator vulnerability? Install the latest update, avoid installing new apps that request to handle authentication links, and use alternative MFA options until you can apply the update.
- What are deep links, and how do they work? Deep links are predefined URIs that allow direct access to an activity in a web or mobile application when clicked.
- Can I use alternative MFA options to protect my accounts? Yes, consider using built-in authentication in your password manager or platform-specific solutions like Apple’s password features until you can apply the update.
- How can I detect malicious apps on my mobile device? Use anti-malware protection for your mobile devices that can help detect malicious apps.








