WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft’s Bing mobile application.
The database was supposed to be password protected. On September 12, however, the WizCase online security team discovered that authentication had been removed from the database roughly two days before, exposing its content to everyone on the Internet.
White hat hacker Ata Hakcil, who identified the leak, was able to confirm that the Elasticsearch server belonged to Microsoft’s Bing mobile app by installing the application and running a search for WizCase.
“While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app,” WizCase’s experts reveal.
The exposed server was designed to log data related to the Android and iOS Bing mobile applications. The software has more than 10 million downloads on Google Play alone, and logs millions of searches every day, WizCase notes.
Hakcil and his team noticed that the exposed 6.5 terabyte server was receiving as much as 200 gigabytes of data daily.
“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries,” the experts say.
Data found on the server includes search terms (which were stored in plain text), precise location (if enabled in the application – coordinates within a 500 meters range were stored), exact time of the search, Firebase notification tokens, coupon data, a partial list of URLs accessed from the search results, device ..
Support the originator by clicking the read the rest link below.
