Unfortunately, a new security report reveals that a back-end server associated with Bing has exposed sensitive data belonging to users of the mobile application.
Bing Associated Server Data Leak: What Was Exposed?
Exposed data includes search queries, device details, GPS coordinates. The good news is that no personal information has been exposed, such as names and addresses.
The data leak was discovered by WizCase researcher Ata Hackil. The massive data leak, consisting of a 6.5TB cache of log files happened through an unsecured Elastic server. As seen in other similar cases, the Elastic server was not password-protected when the leak took place. However, it is noteworthy that the server had a password until September 10, which was then removed.
“There have been more than 10,000,000 downloads on Google Play alone, and millions of searches performed daily through the mobile app,” the report shows.
Here’s what the data leak has exposed:
-Search Terms in clear text, excluding the ones entered in private mode
-Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set.
While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.
-The exact time the search was executed.
-Firebase Notification Tokens
-Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was
-A partial list of the URLs the users visited from the search results
-Device (Phone or Tablet) model
-3 separate unique ID numbers assigned to each user found in the data
The researchers also estimated that the server was “growing by as much as 200GB per day”, thus speculating that anyone who has made a Bing search via the mobile app while the server was unprotected is at risk. People from over 70 countries are affected.
What is worse is that the exposed server was attacked by Meow hackers:
From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database. When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.
Considering the type of sensitive information which was exposed, hackers may attempt to blackmail victims. Other attack scenarios include phishing scams and even physical attacks and robbery.
The researchers disclosed their findings to Microsoft Security Response Center, and the company addressed the problem on September 16.
Too Many Unprotected Servers Out There
In July, SafetyDetestives researchers discovered an Avon-associated server that didn’t have any basic security measures in place, and could be easily accessed.
Thanks to this security weakness, the researchers unveiled 19 million records of individuals associated with Avon, which included personal information of employees and website data.