What’s Going On?

The WizCase online security team, led by white hat hacker Ata Hakcil, uncovered a massive data leak in a server owned by Microsoft logging data related to its Bing mobile app, available in both Google Play and App Store. After the investigation led to the Microsoft Bing App, Hakcil confirmed his findings by downloading the app and running a search for “Wizcase.” While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app.

Logs of our search including all details related to the device The exposed data includes:

Logs containing some user information

An example of a log related to coupons on the exposed server

Whose Data was Exposed and What Are the Consequences

Hakcil and his team discovered a 6.5TB server and saw it was growing by as much as 200GB per day. Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries. According to our scanner, the server was password protected until the first week of September. Our team discovered the leak on September 12th, approximately two days after the authentication was removed. After Hakcil confirmed the database belonged to the Bing app, the team alerted Microsoft on September 13th. They quickly responded to our message. We then reported the data leak to the MSRC – Microsoft Security Response Center and they secured it a few days later, on September 16th. From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database. When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14. In addition to the Meow hackers, this data was exposed to all types of hackers and scammers. This could lead to a variety of attacks against users of the Bing mobile app. Some of the potential threats include, but are not limited, to: While investigating the server, our research team was able to find search queries from different types of bad actors. Phishing Scams: If a hacker knows that someone is searching for something specific, like a vacation destination, pricing on jewelry, or looking at real estate locations, they can use that data to run a phishing scam explicitly built around their search history. For example, the coupon data that was in the logs can let bad actors track shopping websites used by Bing App users, and if the formers manage to de-anonymize a user from previous search queries, etc., they could target the user with phishing scams specifically designed for that user. Physical attacks and robbery: One of the data points revealed in this leak is a ping location for your phone or tablet. It doesn’t take a criminal mastermind to be able to use that ping to track your location. The cybercriminal will not only know the users’ daily routine, but they can also have information as to whether you have cash or expensive items with them, based on the search queries. For example, if one were to search for where to buy an expensive item or directions to store, the attacker could be ready to steal the item. The team could see the search queries entered by predators looking for child porn and the websites they visited following the search.

Search query from a predator including “clicked” URL Not illegal but still worrisome, we also encountered search queries related to guns and interest in shootings, with search histories that included shopping for guns, and search terms like “kill commies.”

Search results for “guns” and “kill commies” As ethical hackers, we don’t have the resources to identify these people and turn them over to the authorities. Yet, this discovery revealed how many predators and dangerous people are using search engines to find their next victims and what websites they are visiting. Furthermore, we would like to take this opportunity to remind all parents to be careful when sharing pictures of their kids on social media. There are many people with bad intentions who browse these sites looking for kids’ image

A recording showing logs of users, exposing their device model, operating system, search queries, and the size of the database.

What Can I Do to Protect My Data?

If you use the Bing mobile app, you should be extra careful when opening emails from unknown senders. Even though a user’s email address isn’t included in the exposed data, there is enough user data for the hacker to find a person’s identity. Once they have a name, address, and place of employment, getting an email address isn’t that difficult. As a general rule, never click on a link that doesn’t come from a trusted source. While it is generally accepted that search engines like Bing and Google have access to mountains of data, there is a reasonable expectation that they will secure that data. One way to protect your data is to use a private search engine, such as DuckDuckGo, which doesn’t store any user data or search queries. The location data comes from 3 sources: To protect your identity against all three of these items, you will need to turn off the GPS permission on the Bing mobile app, and always keep a VPN connection while you’re online. A VPN is a software that reroutes your internet connection to a remote server, giving you an IP address that isn’t connected to your actual location. While the location data isn’t coming directly from the IP address, Microsoft logs the IP addresses of users for up to six months, and the VPN would keep you anonymous in the event that data storage becomes compromised. The problem with only keeping your VPN on for some browsing is that it gives bad actors the opportunity to view the connection history thanks to the unique IDs linked to your connection. When they see you are connecting from one country in the morning and another country in the evening, it won’t be difficult to determine which one is the VPN and which one is your actual IP address, so using a VPN becomes pointless if you are not consistently using it. However, because of the phone’s localization, there will still be general geographical locations such as “en-US” or “fr-FR.” We also recommend that you download reliable antivirus software that has anti-phishing protection.

Who is Wizcase?

WizCase is one of the biggest international online security websites, with content translated to 30 different languages. We provide tools, tricks, and best practices for online safety and security. This includes detailed VPN reviews and tutorials. Our online web security team of White Hack hackers have uncovered some of the biggest data breaches, including unsecured webcams and dating site scandals. Not only do we release our reports to the public, but we disclose it to the company as well, allowing them to secure their serves and creating a more secure environment for everyone.