An unsecured database has exposed sensitive data for users of Microsoft’s Bing search engine mobile application – including their location coordinates, search terms in clear text and more.
While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities — giving bad actors information ripe for blackmail attacks, phishing scams and more.
The data was related to the mobile-app version of Microsoft Bing, housed in a 6.5 terabyte (TB) server owned by Microsoft. Researchers believe the server was password-protected until Sept. 10, two days before they uncovered the issue on Sept. 12. Microsoft was alerted to the exposed data on Sept. 13, and secured the server on Sept. 16.
While they did not calculate how many users were specifically affected, the researchers noted that there have been more than 10 million downloads of the Bing app on Google Play alone, with millions of mobile searches performed daily.
“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk,” said Chase Williams, researcher with Wizcase, in a Monday post. “We saw records of people searching from more than 70 countries.”
But when Threatpost reached Microsoft for comment, the company argued that the amount of data exposed was “small.”
“We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed,” a Microsoft spokesperson said. “After analysis, we’ve determined that the exposed data was limited and de-identified.”