On September 12, WizCase code-prober Ata Hakcil discovered a leak of information from Microsoft.
Earlier this month Microsoft exposed a 6.5TB Elastic server that included search terms, location coordinates, device ID data, and a partial list of which URLs were visited.
The server was password-protected until somewhere around September 10th, according to a report from cyber-security outfit WizCase who said “the authentication was removed.”
Once the data was left unsecured, the infosec firm reported the problem to Microsoft. This was on September 13th.
A few days later on September 16th, the Windows giants security center removed the database from public view.
However, those few days from the 13th to the 16th was a long enough window for hackers and bots to find the unprotected data.
WizCase said the server suffered a Meow attack on two occasions, referring to a bot which wipes unsecured databases and replaces them with new ones featuring over and over the word “meow”.
If the Meow bot found that data, it is very likely that other interested parties found it as well.
According to Microsoft, the information did not include personal details like names, addresses, phone numbers, email addresses, physical addresses, etc.
So the question then becomes – was there enough data included to track down individuals using the search engine?
Remember the very similar AOL incident back in 2016 when AOL released what they thought was anonymized search data for “research purposes” and journalists soon proved this wrong by identifying some of the searchers?
Yup – that actually happened.
One of the reasons it was so easy for the journalists to identify some of the searchers was because each searcher was identified by a numeric key.
This made it possible to see all the searches made by a particular individual then connect the dots from clues in the queries.
Even though Microsoft claims the data doesn’t link back to specific users, the leaked data may likewise have privacy implications.
WizCase screenshots show that the records include fields called deviceID, deviceHash, AdID and clientID, all of which are promising in terms of finding all the searches from a particular user.
The data also includes some not-so-pleasant things people search for, including illegal content.
WizCase suggested that if criminals succeed in linking the data with specific users, some individuals could be vulnerable to blackmail or phishing scams as a result.
A Microsoft spokesperson told us: “We’ve fixed a mis-configuration that caused a small amount of search query data to be exposed. After analysis, we’ve determined that the exposed data was limited and de-identified.”
Statcounter readings show just 2.83 percent market share for Bing versus Google’s 92.05 percent.
Yes, it is a small percentage of a very large market and the Statcounter’s numbers may not reflect searches via the Bing app or those integrated with Windows search.
It is true that anyone can make a mistake however, there is an implicit deal that providers like Google and Microsoft can give us improved search results in return for us allowing them to collect data on our behavior.
With this exchange comes a level of trust and this incident is damaging of that trust – especially because the data was not encrypted.
The security blunder is unfortunate for Microsoft but hopefully it is a valuable lesson learned.