Bing user data exposed – includes location, search terms, sites visited

A team of security researchers has found Bing user data exposed on a server owned by Microsoft. The data comes from both iOS and Android versions of the Bing app. The data exposed includes unique user IDs, search queries, location, and even webpages visited as a result of searches …

Author Ad Placeholder
Will only appear on redesign env.

Security site WizCase made the discovery. It says the database was originally password-protected, but was left unprotected between September 10 and September 16.

The WizCase online security team, led by white hat hacker Ata Hakcil, uncovered a massive data leak in a server owned by Microsoft logging data related to its Bing mobile app, available in both Google Play and App Store.

After the investigation led to the Microsoft Bing App, Hakcil confirmed his findings by downloading the app and running a search for “Wizcase.” While looking through the server, he found his information, including search queries, device details, and GPS coordinates, proving the exposed data comes directly from the Bing mobile app.

The amount of Bing user data exposed is alarming.

  • Search Terms in clear text, excluding the ones entered in private mode
  • Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set. While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.
  • The exact time the search was executed.
  • Firebase Notification Tokens
  • Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was
  • A partial list of the URLs the users visited from the search results
  • Device (Phone or Tablet) model
  • Operating System
  • 3 separate unique ID numbers assigned to each user found in the data
    • ADID: Appears to be a unique ID for a Microsoft account
    • deviceID 
    • devicehash

Searches for child sexual abuse images were found in the database.

The team could see the search queries entered by predators looking for child porn, and the websites they visited following the search.

WizCase reported the breach to Microsoft on September 13, but the tech giant didn’t secure the data until September 16.

The researchers recommend refusing GPS location permission to the Bing app, and using a VPN when carrying out searches.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear