An unsecured server may have led to a massive data leak in Microsoft’s Bing mobile app according to a new report from the online security site WizCase.
The site’s online security team, led by white hat hacker Ata Hakcil, discovered the unsecured server online and traced it back to Bing’s mobile app.
To confirm the team’s findings, Hakcil downloaded the app and ran a search for “Wizcase”. He then looked through the data stored on the unsecured server to find that his information, including search queries, device details and GPS coordinates, was there, proving that the exposed data was coming directly from Bing’s mobile app.
The exposed data on the server includes search terms in clear text, the exact time searchers were executed, location coordinates, Firebase Notification Tokens, coupon data, a partial list of the URLs users visited from the search results, device model, operating system and three separate unique ID numbers (ADID, deviceID and devicehash) assigned to each user found in the data.
Hakcil and his team began their investigation after discovering a 6.5TB server that was growing by as much as 200GB per day. Based on the amount of data added to the server each day, WizCase believes it’s safe to speculate that anyone who used Bing’s mobile app to conduct a search while the server was exposed is at risk as the team saw records of user searches from more than 70 countries.
According to the company’s scanner, the server was password protected until the first week of September and was exposed online without a password for two full days. WizCase then reached out to Microsoft and reported the data leak to the Microsoft Security Response Center (MSRC) and the server was secured a few days later.
Based on its observations, the team believes that the server was targeted by a Meow attack that deleted nearly the entire database. A second Meow attack was then observed a few days later.
In addition to these attacks, the data was exposed to cybercriminals while the server was exposed online which could put Bing mobile users at risk from a number of threats including blackmail, phishing and even physical attacks as their physical locations could be determined based on the GPS coordinates of their mobile devices.
In a blog post about the exposed server, web security expert at WizChase Chase Williams explained how the team’s discovery highlighted the ways in which search engines are being used for nefarious activities online, saying:
“As ethical hackers, we don’t have the resources to identify these people and turn them over to the authorities. Yet, this discovery revealed how many predators and dangerous people are using search engines to find their next victims and what websites they are visiting.”