Microsoft’s Bing mobile app exposed users’ sensitive information through an unsecured Elastic server. According to researchers at WizCase, the misconfigured server leaked Bing’s mobile application users’ data, including device details, list of URLs visited, operating system, search queries, search timings, GPS locations, and three unique identifiers — ADID (Advertising to an ad), device ID, and device hash. However, the server did not expose any personal information like users’ names or addresses. The server is now secured after WizCase reported the issue to Microsoft Security Response Center.
Massive Data at Risk
The researchers found over 6.5TB cache of log files that were left online without any password protection, allowing access to the public. “Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries,” WizCase said.
Besides the data breach, the researchers also stated that the search engine server was targeted by the Meow attack twice. While there is no information about any misuse of the leaked data, but the researchers stated the data breach could lead to a variety of attacks.
Misconfiguration Expose 250 Mn Customer Records
Earlier in a security alert, Microsoft admitted to a security blunder of misconfiguring a customer service and support database that exposed 14 years of customer service and support data dating back to 2005, accessible to anyone with a web browser requiring no authentication at all. As per Microsoft’s blog, on December 5, 2019, a change was made to the said databases’ network security group. It was later found that appropriate measures were not taken to verify the Azure security rules and this misconfiguration further led to the data exposure. The exposure was discovered by a security research team at Comparitech led by Bob Diachenko. He uncovered a total of five Elastic Servers containing 250 million records including logs of communication between Microsoft’s support engineers and its customers.
The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG is merely passing on what has been discovered and reported by the source mentioned in the article.