Microsoft's Bing search engine has been caught leaking user data captured via its mobile apps for iOS and Android. The data includes private detail like GPS coordinates, device information, search queries, visited websites, and various other tokens and IDs. Security researches found the data on an unsecured server owned by Microsoft.
As per security researchers from WizCase, the amount of data on the server was 6.5Tb and was growing by 200GB every day. The server was password-protected, but somehow the authentication method was removed for a week which is when The data was from people across 70 countries where Bing is used and contained the following:
- Search Terms in clear text, excluding the ones entered in private mode
- Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set.
While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.
- The exact time the search was executed.
- Firebase Notification Tokens
- Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was
- A partial list of the URLs the users visited from the search results
- Device (Phone or Tablet) model
- Operating System
- 3 separate unique ID numbers assigned to each user found in the data
- ADID: Appears to be a unique ID for a Microsoft account
As per WizCase, their team notified Microsoft of the security gaffe on September 13, a day after the leak was discovered, and two days after the server authentication was disabled. Microsoft password-protected the server again after 3 days, on September 16. During this time, the server was targeted by attacks by various hackers who got access to the data and even attempted to delete it from the server.
From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database. When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.
In addition to the Meow hackers, this data was exposed to all types of hackers and scammers. This could lead to a variety of attacks against users of the Bing mobile app.
The cyberattacks should not be taken lightly as the leaked information could cause real-world consequences. As per WizCase, the data can be used for blackmail, phishing scams, and even physical attacks and robbery.
Microsoft has not addressed this issue by reaching out to the people affected by the cyberattacks. Until it does, it is best to avoid using the Bing apps on iOS or Android, and not to provide them location access to keep your information safe and secure.