We at The Hack have talked a lot about the risks of misconfiguring cloud environments – our category Leaks is full of examples of what can go wrong when you neglect SaaS and cloud computing tools. Now, however, we have a proof for anyone to defect: even Microsoft ended up making a slip and leaving exposed a server with no less than 6.5 TB of data.
The environment in question was a public installation of Elasticsearch and recorded information from users of the Bing search engine mobile application. Who identified the leak was the team of researchers at WizCase, who confirmed the ownership of the server by doing random searches on Bing on a smartphone and seeing such searches appear in the environment in real time. The server grew 200 GB every day.
The leaked data are varied: we have the search terms in plain text, geographic location coordinates (if this feature has been activated in the settings by the user), search time, partial list of URLs visited by the results, device model, operating system and three internal identifiers (IDs) that Microsoft itself seems to assign to each user of the tool.
The strangest thing is that, according to the WizCase team, the server was protected until September 10, when its authentication was mysteriously removed. The leak was identified shortly after, and on the 13th, Microsoft was notified, responding promptly to the researchers. The fault was resolved on the 16th, but the company did not comment on what happened.
We are talking about a very delicate incident, since, with a basic crossing of the leaked data, it would be possible to discover the identity of those who carried out some search on Bing. The team of analysts, for the time being, has found a series of disturbing surveys – both illegal, such as child pornography and arms trafficking, as legal, but of a highly intimate nature.
“As ethical hackers, we do not have the resources to identify these people and hand them over to the authorities. However, this discovery revealed how many predators and dangerous people are using search engines to find their next victims and what sites they are visiting,” he says. WizCase.
See the original post at: https://thehack.com.br/microsoft-deixa-vazar-dados-de-quase-todos-os-usuarios-do-bing-para-smartphones/?rand=48873