Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Unprotected Server Leaks Data of Microsoft Bing Mobile App Users

WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft’s Bing mobile application.

WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft’s Bing mobile application.

The database was supposed to be password protected. On September 12, however, the WizCase online security team discovered that authentication had been removed from the database roughly two days before, exposing its content to everyone on the Internet.

White hat hacker Ata Hakcil, who identified the leak, was able to confirm that the Elasticsearch server belonged to Microsoft’s Bing mobile app by installing the application and running a search for WizCase.

“While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app,” WizCase’s experts reveal.

The exposed server was designed to log data related to the Android and iOS Bing mobile applications. The software has more than 10 million downloads on Google Play alone, and logs millions of searches every day, WizCase notes.

Hakcil and his team noticed that the exposed 6.5 terabyte server was receiving as much as 200 gigabytes of data daily.

“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries,” the experts say.

Data found on the server includes search terms (which were stored in plain text), precise location (if enabled in the application – coordinates within a 500 meters range were stored), exact time of the search, Firebase notification tokens, coupon data, a partial list of URLs accessed from the search results, device model and operating system, and three ID numbers assigned to the user: ADID (a unique ID for a Microsoft account), deviceID, and devicehash.

WizCase says Microsoft was alerted about the exposed server on September 13 and that its security team secured it on September 16.

In the timeframe it was exposed, however, the database was targeted at least two times in a so-called Meow attack, in which attackers delete unsecured databases. In one of the Meow attacks aimed at the Bing database, nearly all of the user data was erased.

“When we discovered the server on the 12th, 100 million records had been collected since the attack,” the experts reveal. A second Meow attack was observed on September 14.

Responding to a SecurityWeek inquiry, a Microsoft spokesperson confirmed the incident: “We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed. After analysis, we’ve determined that the exposed data was limited and de-identified.”

Related: Microsoft Exposed 250 Million Customer Support Records

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Related: Unprotected Database Exposed 5 Billion Previously Leaked Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...