Microsoft's Bing mobile apps, available on Android and iOS, have been the victim of a data leak. Security researchers found an Elastic server that had its password protection removed, reportedly as a "misconfiguration" of the server, which has resulted in 6.5TB of search data being made available publicly on the internet, which grew by up to 200GB per day.
Security researchers from WizCase found the unprotected server on September 12, although the authentication is estimated to have been removed 2 days prior. After discovering the data was coming from Bing's mobile apps, by performing a search themselves and seeing it appear in the data, the researchers contacted Microsoft on September 13, and the information was given to Microsoft's Security Response Centre, who acted to resolve the problem a few days later.
The data leak has exposed a trove of data that Microsoft collects from users who use the Bing mobile apps. The data included:
- Search terms (excluding any searches in 'private' mode)
- GPS coordinates (if location permissions are enabled, with a ~500 metre accuracy)
- Date and time of the search
- Firebase notification tokens
- Coupon data
- Partial list of the URLs visited by the user from the search results
- Device model
- Operating system
- 3 unique identifiers, including:
- ADID: possibly an identifier for a Microsoft Account
None of the data was encrypted.
Data was collected from more than 70 countries, and it's believed that anyone who performed a search using Bing's mobile apps between the point of the server being exposed are at risk, which is roughly between September 10 and September 16.
The team at WizCase pointed out that the server was also the target of a Meow attack, which essentially deleted almost the entire database on September 12, and a further attack on September 14. Nonetheless, they pointed out that the "data was exposed to all types of hackers and scammers."
Due to the nature of the data exposed, it could be possible to identify individuals. This could then be used in a number of ways, including blackmail, phishing scams, and physical attacks & robbery. Some of the data's specificity is alarming, such as the plaintext search terms and GPS coordinates, in addition to the possible link directly to a Microsoft Account.
Of note was some of the search query data that was collected, which highlighted a number of potential bad actors performing searches on Bing. Search terms related to child pornography, guns, and interest in shootings, were all identified.
This data leak calls into question the trust that Bing users place on the search engine. There's a reasonable expectation that search engines should protect users' identity and search data, and this leak has directly exposed that information in one way or another. For those wanting to help protect their online search behaviour, it is recommended to use 'private mode' to help alleviate some privacy concerns.
You can read the full write-up from the security researchers and examples of the data exposed in their report here.