An unsecured database has exposed sensitive data for users of Microsoft’s Bing search engine mobile application – including their location coordinates, search terms in clear text and more.
While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities — giving bad actors information ripe for blackmail attacks, phishing scams and more.
The data was related to the mobile-app version of Microsoft Bing, housed in a 6.5 terabyte (TB) server owned by Microsoft. Researchers believe the server was password-protected until Sept. 10, two days before they uncovered the issue on Sept. 12. Microsoft was alerted to the exposed data on Sept. 13, and secured the server on Sept. 16.
While they did not calculate how many users were specifically affected, the researchers noted that there have been more than 10 million downloads of the Bing app on Google Play alone, with millions of mobile searches performed daily.
“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk,” said Chase Williams, researcher with Wizcase, in a Monday post. “We saw records of people searching from more than 70 countries.”
But when Threatpost reached Microsoft for comment, the company argued that the amount of data exposed was “small.”
“We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed,” a Microsoft spokesperson said. “After analysis, we’ve determined that the exposed data was limited and de-identified.”
In addition to users’ search terms that were in clear text, the server also revealed the time of the search being executed, Firebase Notification Tokens (allowing developers to send notifications to specific devices), device models, a partial list of the URLs visited from search results, coupon data that included information about when a coupon code was copied, operating system data and unique ID numbers (including ADID, which appears to be a unique ID for a Microsoft account, deviceID and devicehash).
Researchers also found that precise location data (within 500 meters) was exposed – if the location permission is enabled by users on the app.
“While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located,” said researchers. “By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.”
Of note, Bing users’ personal information — including their names — was not exposed; and, users who entered search queries in private mode were safe from the incident, researchers said.
Researchers also claim that between Sept. 10 through Sept. 12, and on Sept. 14, the server was targeted by a “Meow attack.” A Meow attack refers to ongoing attacks that started earlier in July and left 1,000 unsecured databases permanently deleted. The attack leaves the word “meow” as its only calling card, according to researcher Bob Daichenko. Meow hackers also recently targeted a Mailfire server that was misconfigured and left open.
“From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database,” Wizcase researchers said. “When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.”
Threatpost reached out to both Wizcase and Microsoft for further comment on this attack.
In addition to the Meow hackers, this data was potentially exposed to other types of hackers and scammers, which could lead to a variety of blackmailing and phishing attacks against users of the Bing mobile app, researchers warned – particularly when it comes to search queries.
“Whether it’s searching for adult content, cheating on a significant other, extreme political views or hundreds of embarrassing things people search for on Bing,” said researchers, “once the hacker has the search query, it could be possible to find out the person’s identity thanks to all the details available on the server, making them an easy blackmail target.”
The exposure of location data could also open victims up to physical attacks or robberies, researchers said.
“The cybercriminal will not only know the users’ daily routine, but they can also have information as to whether you have cash or expensive items with them, based on the search queries,” they said. “For example, if one were to search for where to buy an expensive item or directions to store, the attacker could be ready to steal the item.”