Security researchers at Wizcase recently discovered an unprotected backend server associated with the Microsoft Bing mobile app that exposed up to 6.5 TB worth of data, including details of millions of search queries, device details, and GPS coordinates.
The Microsoft-owned server was set up to log data related to the Microsoft Bing mobile applications for Android and iOS that have enjoyed over ten million downloads on mobile devices. Even though the logs did not contain the names or addresses of Bing users, the unprotected Elastic server contained a wealth of information that could easily be misused by hackers.
In the unprotected database, the WizCase online security team, led by white hat hacker Ata Hakcil, found information such as search queries in plain text, precise location coordinates of users, Firebase notification tokens, coupon codes, and device information such as model, operating system, and unique ID numbers assigned to each user.
The security firm observed that the Microsoft Bing server was protected by a password until 10th September when the authentication was removed for unknown reasons. It took the firm only two days to discover the server after its protection from public access was disabled.
Unprotected Bing database contained 6.5TB worth of search queries and device information
At the time of its discovery, the server contained 6.5TB of data and was growing by around 200GB per day due to the enormous amount of data getting continuously logged from the Microsoft Bing mobile app. The server was secured by the Microsoft Security Response Center within three days after WizCase reached out to the team. However, this did not prevent hackers from staging multiple attacks on the exposed server.
"From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database. When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.
"In addition to the Meow hackers, this data was exposed to all types of hackers and scammers. This could lead to a variety of attacks against users of the Bing mobile app," the firm said in a blog post.
For instance, criminals could use precise geolocation coordinates as well as search queries available in the server logs to track users and determine their interests, cyber fraudsters could view users' interests and buying preferences to target them with phishing emails, and hackers may also blackmail users after obtaining data about their political views or embarrassing personal details.
"If you use the Bing mobile app, you should be extra careful when opening emails from unknown senders. Even though a user’s email address isn’t included in the exposed data, there is enough user data for the hacker to find a person’s identity," WizCase said.
"Once they have a name, address, and place of employment, getting an email address isn’t that difficult. As a general rule, never click on a link that doesn’t come from a trusted source," the firm said, adding that users should turn off the GPS permission on the Bing mobile app in order to protect their locations from being tracked.
Microsoft misconfigured gigantic customer support database as well
This isn't the first time that security researchers have unearthed an unprotected Microsoft database that contained a wealth of information that could be abused by hackers. In December last year, security researcher Bob Diachenko discovered a misconfigured Microsoft database that contained over 250 million records pertaining to conversations between customers and Microsoft support agents. The database could be accessed by anyone with an Internet connection.
The misconfigured Microsoft database was discovered by Diachenko on 29th December, a day after it was indexed by the BinaryEdge search engine that scans for public Internet data on the web. Upon being informed about the exposure, Microsoft closed public access to the database by 31st December.
The 250 million records stored in the unprotected ElasticSearch database included a wealth of information such as email addresses of customers, IP addresses, customers' locations, confidential internal notes, case numbers, resolutions and remarks, Microsoft support agent emails, and descriptions of CSS claims and cases.
"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorised access," said Microsoft in a blog post, emphasising that the misconfiguration was restricted to this particular database.