Bing mobile app users on every platform including iOS and iPadOS are at risk after terabytes of user information have been stolen from an open server.

Bing is the search engine owned by Microsoft and data related to the mobile app for iOS and Android has been found in an open server. The server had over 6.5TB of data and was growing by 200GB per day upon discovery.

The white hat hacker group WizCase discovered the open server on September 12, which had been secure until September 10 according to the group. Microsoft was alerted on September 13 after the server owner was discovered. The open server was secured by the Microsoft Security Response Center on September 16.

WizCase was able to identify an exfiltration of the data, and a subsequent “Meow” attack on the data during the open window. A Meow attack is an automated attack to an open server which aims to delete a large portion or all of the data in the server. This Meow attack deleted nearly the entire database.

Nearly 100 million records had been collected by bad-actors by the time a second Meow attack hit the server on September 14. Many types of hackers had access to the data while the server was open, so much or all of the data could have been collected.

What does this mean for users?

An open server filled with terabytes of user data is a treasure trove for bad-acting hackers. The data included in the server included the following:

  • plain-text search terms
  • Location coordinates of users with location enabled
  • Exact time of search
  • Firebase notification tokens
  • Coupon data for result terms
  • A partial list of URLs visited within search results
  • Device model
  • deviceID, devicehash, and ADID for the user’s device

This database can be searched to locate specific users based on queries or locations, which can lead to fraud, blackmail, phishing, or physical threat. The team at WizCase were able to identify specific users who had searched for child pornography, weapons, or where to attack specific groups of people.

Anyone could have downloaded the contents of the server during the six-day window. Internet-based assailants could target anyone who used the mobile app whose data is present in this server. To protect yourself ensure you do not open strange emails and use alternative search engines like DuckDuckGo, which does not collect user data.