The misconfigured server logged data from the Bing Mobile App.
The WizCase online security team discovered a massive data leak in a Microsoft owned server that was logging Bing Mobile App data. The leak was discovered via an unsecured ElasticSearch server.
The research team was led by white hat hacker Ata Hackil, who believes that the unsecured server could have allowed third-parties to obtain critically sensitive data such as search queries.
Bing mobile app is available both on Google and Apple stores. It has over 10,000,000 downloads on Google Play Store, and millions of searches are performed through it daily.
WizCase’s research team found the database when searching for open databases or servers on the internet, and located an unprotected ElasticSearch server that was logging search query terms in clear text format, location coordinates, and device details.
See: Personal details of 38 million+ US citizens leaked in database mess up
The server also revealed the exact time of search query execution, device model, Firebase Notification Tokens (that can allow developers to send notifications to a specific device), a list of URLs the user selected to visit from search results, and coupon data, including the information when the code was copied.
Also, part of the leaked data is unique ID numbers (such as ADID, Devicehash, and DeviceID), and operating system data.
microsoft server exposed search queries location
