Unprotected Server Leaks Data of Microsoft Bing Mobile App Users
WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft’s Bing mobile application.
The database was supposed to be password protected. On September 12, however, the WizCase online security team discovered that authentication had been removed from the database roughly two days before, exposing its content to everyone on the Internet.
White hat hacker Ata Hakcil, who identified the leak, was able to confirm that the Elasticsearch server belonged to Microsoft’s Bing mobile app by installing the application and running a search for WizCase.
“While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app,” WizCase’s experts reveal.
The exposed server was designed to log data related to the Android and iOS Bing mobile applications. The software has more than 10 million downloads on Google Play alone, and logs millions of searches every day, WizCase notes.
Hakcil and his team noticed that the exposed 6.5 terabyte server was receiving as much as 200 gigabytes of data daily.
“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries,” the experts say.
Data found on the server includes search terms (which were stored in plain text), precise location (if enabled in the application – coordinates within a 500 meters range were stored), exact time of the search, Firebase notification tokens, coupon data, a partial list of URLs accessed from the search results, device model and operating system, and three ID numbers assigned to the user: ADID (a unique ID for a Microsoft account), deviceID, and devicehash.
WizCase says Microsoft was alerted about the exposed server on September 13 and that its security team secured it on September 16.
In the timeframe it was exposed, however, the database was targeted at least two times in a so-called Meow attack, in which attackers delete unsecured databases. In one of the Meow attacks aimed at the Bing database, nearly all of the user data was erased.
“When we discovered the server on the 12th, 100 million records had been collected since the attack,” the experts reveal. A second Meow attack was observed on September 14.
Responding to a SecurityWeek inquiry, a Microsoft spokesperson confirmed the incident: “We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed. After analysis, we’ve determined that the exposed data was limited and de-identified.”