Microsoft secures server after massive data leak in Microsoft Bing app

by Ugnius Kiguolis - -

13 billion records from the Bing search engine were leaked online

The massive data leak in Microsoft Bing app

Microsoft has suffered a massive data leak earlier this month because its IT staff accidentally left one of Bing's app Elasticsearch servers exposed online. Experts say that the server exposed more than 6.5 TB of log files, which contained about 13 billion records from the Bing search engine. The server was online without a password from September 10 to September 16.

The leak was uncovered by Ata Hakcil from the WizCase online security team.[1] The researcher was able to verify his findings by downloading the Bing app and locating search queries he performed in the app in the server's logs. The WizCase team explained:

While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app.

The Bing[2] is a web search engine created and operated by Microsoft. This mobile app is available in the App Store and Google Play and works in 40 different languages. The application is using Elasticsearch[3] servers but these servers have been the source of many accidental data leaks in the past four years.[4]

The exposed data may lead to attacks against Bing users

The researcher from WizCase explained that the server was growing by 200GB per day and was as big as 6.5TB on the day when he discovered it. It is clear that the insecure server was exposed online without any password but no personal information about users was granted.

Hakcil said that the exposed data included the following:

  • geo-location coordinates;
  • search terms (except texts from private mode);
  • the exact time of the search;
  • details about the user's system (OS, device, browser, etc.);
  • other information like tokens, coupon codes, hashes.

Everyone who has made a search with Bing mobile app from September 10 to September 16 was at risk. Security specialists said that they saw records of people from more than 70 countries.

Moreover, Hakcil warned:

From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database. When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.

This data was exposed to other scammers and hackers too and it could lead to cyber attacks against Bing mobile app users. For example, potential threats may include phishing scams, blackmailing, or even physical attacks and robbery.

Researchers found criminals' search queries, which included phrases like child porn, guns, etc.

While the security researchers investigated the exposed server, they were able to find search queries from different types of bad actors too. They found predators who were looking for children pornography and which websites they visited after such search. Also, they saw search queries related to shootings, guns, and search terms like “kill commies”.

Hakcil said that catching these offenders is not in his power, although it proves that there are many people with less than desirable “hobbies”:[1]

As ethical hackers, we don’t have the resources to identify these people and turn them over to the authorities. Yet, this discovery revealed how many predators and dangerous people are using search engines to find their next victims and what websites they are visiting.

For parents, it is important to always think before sharing pictures of their children on social media because there could be plenty of predators that could misuse such information. Also, parents should always think about their kids' security[5] and with whom they are speaking on the internet.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References