Security researchers from WizCase have uncovered a major data leak in the Microsoft Bing mobile app, through an unsecured Elastic server. So far, there have been more than 10,000,000 downloads on Google Play alone, and millions of searches performed daily through the mobile app.
Led by white hat hacker Ata Hakcil, The WizCase online security team, found an Elastic server that had its password protection removed, reportedly as a “misconfiguration” of the server, which has resulted in 6.5TB of search data being made available publicly on the internet, which grew by up to 200GB per day. The “misconfiguration” of the server has resulted in 6.5TB of search data being made available publicly on the internet, which grew by up to 200GB per day.
The team at WizCase pointed out that the server was the target of a Meow attack, which essentially deleted almost the entire database on September 12, and a further attack on September 14. Nonetheless, they pointed out that the “data was exposed to all types of hackers and scammers.”
However, Meow attack is nothing new. In July, the ‘Meow’ attacks wiped almost 4,000 of unsecured internet-facing databases. Security experts reported that while more than 97% of ‘Meow’attacks hit Elasticsearch and MongoDB instances, systems running Cassandra, CouchDB, Redis, Hadoop, Jenkins, and Apache ZooKeeper have been targeted as well.
According to their scanner, the WizCase research team found that the server was password protected until the first week of September. However, the WizCase team first discovered the leak on September 12th. No one knows for sure what had happened approximately two days after the authentication was removed.
Immediately after discovering the data was coming from Bing’s mobile apps, the researchers contacted Microsoft on September 13, and the information was given to Microsoft’s Security Response Centre, who acted to resolve the problem a few days later.
According to their report, after the investigation led to the Microsoft Bing App, Hakcil confirmed his findings by downloading the app and running a search for “Wizcase.” While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app.
The exposed data includes:
- Search Terms in clear text, excluding the ones entered in private mode
- Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set.
While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone. - The exact time the search was executed.
- Firebase Notification Tokens
- Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was
- A partial list of the URLs the users visited from the search results
- Device (Phone or Tablet) model
- Operating System
- 3 separate unique ID numbers assigned to each user found in the data
- ADID: Appears to be a unique ID for a Microsoft account
- deviceID
- devicehash
According to the researchers, none of the data was encrypted.
Data was collected from more than 70 countries, and it’s believed that anyone who performed a search using Bing’s mobile apps between the point of the server being exposed is at risk, which is roughly between September 10 and September 16.
You can read more about other data exposed in their report here.
