Microsoft unsecured Server exposes sensitive Bing mobile app user data
Having 10,000,000+ downloads on Google Play store, the Microsoft Bing search app suffered a data leak through an unsecured Elastic server. The leak was uncovered by WizCase online security team, led by white hat hacker Ata Hakcil.
According to Hakcil’s investigation, the exposed server must have leaked information of more than 6.5 TB of log files containing 13 billion records originating from the Bing search engine. Hakcil confirmed his findings by downloading the Microsoft Bing search app and running a search for “Wizcase.” As the researcher started to dig the server, he found his information which included all the search queries, the deatils of the device used, and also the location was leaked.
It was also known that no data related to the name of the user was leaked but exposing user-related data, such as search queries, location coordinates, or device details, to anyone who could find it – including people with bad intentions, like scammers and hackers is worrying.
According to our scanner, the server was password protected until the first week of September. Our team discovered the leak on September 12th, approximately two days after the authentication was removed. After Hakcil confirmed the database belonged to the Bing app, the team alerted Microsoft on September 13th. They quickly responded to our message. We then reported the data leak to the MSRC – Microsoft Security Response Center and they secured it a few days later, on September 16th.
As per the research, it was known that the leaked 6.5 TB of log files was growing at the rate of 200GB per day. Going further with the report by WizCase, records of people searching from more than 70 countries were found by the team and between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database.
When the security team discovered the server on the 12th, 100 million records had been collected since the attack. A Meow attack refers to ongoing attacks that started earlier in July and left 1,000 unsecured databases permanently deleted. The attack leaves the word “meow” as its only calling card. However, the security team reported about the leak to Micosoft on 13th of September and later on September 16th the server was secured by the Microsoft Securtiy Response Center.
To be on a safer side it is recommended to change the password of your accounts and clear your location data. For more news on tech and cybersecurity stay tuned on Android Rookies by following us on Google News.