Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Unprotected Server Leaks Data of Microsoft Bing Mobile App Users

WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft’s Bing mobile application.

WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft’s Bing mobile application.

The database was supposed to be password protected. On September 12, however, the WizCase online security team discovered that authentication had been removed from the database roughly two days before, exposing its content to everyone on the Internet.

White hat hacker Ata Hakcil, who identified the leak, was able to confirm that the Elasticsearch server belonged to Microsoft’s Bing mobile app by installing the application and running a search for WizCase.

“While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app,” WizCase’s experts reveal.

The exposed server was designed to log data related to the Android and iOS Bing mobile applications. The software has more than 10 million downloads on Google Play alone, and logs millions of searches every day, WizCase notes.

Hakcil and his team noticed that the exposed 6.5 terabyte server was receiving as much as 200 gigabytes of data daily.

“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries,” the experts say.

Data found on the server includes search terms (which were stored in plain text), precise location (if enabled in the application – coordinates within a 500 meters range were stored), exact time of the search, Firebase notification tokens, coupon data, a partial list of URLs accessed from the search results, device model and operating system, and three ID numbers assigned to the user: ADID (a unique ID for a Microsoft account), deviceID, and devicehash.

WizCase says Microsoft was alerted about the exposed server on September 13 and that its security team secured it on September 16.

In the timeframe it was exposed, however, the database was targeted at least two times in a so-called Meow attack, in which attackers delete unsecured databases. In one of the Meow attacks aimed at the Bing database, nearly all of the user data was erased.

“When we discovered the server on the 12th, 100 million records had been collected since the attack,” the experts reveal. A second Meow attack was observed on September 14.

Responding to a SecurityWeek inquiry, a Microsoft spokesperson confirmed the incident: “We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed. After analysis, we’ve determined that the exposed data was limited and de-identified.”

Related: Microsoft Exposed 250 Million Customer Support Records

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Related: Unprotected Database Exposed 5 Billion Previously Leaked Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...