A team of security researchers has found Bing user data exposed on a server owned by Microsoft. The data comes from both iOS and Android versions of the Bing app. The data exposed includes unique user IDs, search queries, location, and even webpages visited as a result of searches …

Security site WizCase made the discovery. It says the database was originally password-protected, but was left unprotected between September 10 and September 16.

The amount of Bing user data exposed is alarming.

The WizCase online security team, led by white hat hacker Ata Hakcil, uncovered a massive data leak in a server owned by Microsoft logging data related to its Bing mobile app, available in both Google Play and App Store.

After the investigation led to the Microsoft Bing App, Hakcil confirmed his findings by downloading the app and running a search for “Wizcase.” While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app.

  • Search Terms in clear text, excluding the ones entered in private mode
  • Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set. While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.
  • The exact time the search was executed.
  • Firebase Notification Tokens
  • Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was
  • A partial list of the URLs the users visited from the search results
  • Device (Phone or Tablet) model
  • Operating System
  • 3 separate unique ID numbers assigned to each user found in the data
  • ADID: Appears to be a unique ID for a Microsoft account
  • deviceID
  • devicehash

Searches for child sexual abuse images were found in the database.

  • ADID: Appears to be a unique ID for a Microsoft account
  • deviceID
  • devicehash

WizCase reported the breach to Microsoft on September 13, but the tech giant didn’t secure the data until September 16.

The team could see the search queries entered by predators looking for child porn, and the websites they visited following the search.

The researchers recommend refusing GPS location permission to the Bing app, and using a VPN when carrying out searches.