from the it's-only-my-porn-searches dept.
Bing user data exposed – includes location, search terms, sites visited
A team of security researchers has found Bing user data exposed on a server owned by Microsoft. The data comes from both iOS and Android versions of the Bing app. The data exposed includes unique user IDs, search queries, location, and even webpages visited as a result of searches[.]
Security site WizCase made the discovery. It says the database was originally password-protected, but was left unprotected between September 10 and September 16.
From WizCase:
[...] Hakcil and his team discovered a 6.5TB server and saw it was growing by as much as 200GB per day. Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk. We saw records of people searching from more than 70 countries.
[...] After Hakcil confirmed the database belonged to the Bing app, the team alerted Microsoft on September 13th. They quickly responded to our message. We then reported the data leak to the MSRC – Microsoft Security Response Center and they secured it a few days later, on September 16th.
From what we saw, between September 10th – 12th, the server was targeted by a Meow attack[0] that deleted nearly the entire database. When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.
The new cyber attack appears to be a bot that seeks and destroys unsecured databases that run the Elasticsearch, Redis or MongoDB software. The name comes from it overwriting the word "meow" repeatedly in each database index that it finds. The bot overwrites all of the data, effectively destroying the contents of the database.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @04:26AM (5 children)
> The bot overwrites all of the data, effectively destroying the contents of the database.
Yet nothing of value was lost...
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @05:01AM (4 children)
Bing has an app?
(Score: 2) by Booga1 on Wednesday September 23 2020, @05:21AM (1 child)
There's an app for everything. Everybody's gotta have one. It's the new "vendor lock in." Everyone wants to have you open their app. Visit their web page from your phone and you'll get a pop up that says, "Install our APP! YES or Bug me every time?" [xkcd.com]
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @05:51AM
Modern app appers know that only apps can app apps every time.
Apps!
(Score: 3, Touché) by Grishnakh on Wednesday September 23 2020, @06:12AM (1 child)
It does. The question is, who actually uses it?
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @03:30PM
Have they notified both users?
(Score: 2) by gmby on Wednesday September 23 2020, @04:39AM (2 children)
I like that pussy.
Bye
(Score: 3, Insightful) by c0lo on Wednesday September 23 2020, @04:47AM (1 child)
That's not an attack either.
Better called it "Meow last line of defense" - when the administrators fails, it steps in and doesn't let your data fall into hands you wouldn't like.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @08:06PM
Like radiation therapy, the cure in question typically has side effects.
(Score: 2) by Booga1 on Wednesday September 23 2020, @04:58AM
I guess it's possible for anyone to mess up, but you'd expect the big companies to have some isolation to prevent any exposure of their databases to the outside world. I guess some admin in their Bing department has some explaining to do.
"It's not so funny meow is it?" [youtube.com]
(Score: 3, Interesting) by looorg on Wednesday September 23 2020, @07:11AM
Isn't this kind of odd? So it was password protected but they, whomever they are, keep trying over and over and over again and wont stop. Then all of a sudden they remove the password protection for a week?
(Score: 3, Funny) by Anonymous Coward on Wednesday September 23 2020, @09:46AM
Oh no, the most searched term as been exposed:
Google
(Score: 2) by Gaaark on Wednesday September 23 2020, @10:55AM
3 days? It took MS THREE days to secure it?
Why wasn't it IMMEDIATE?
MS security at it's finest.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 3, Insightful) by bart9h on Wednesday September 23 2020, @12:59PM (4 children)
Uneducated people use Google.
People with a clue use DuckDuckGo.
That leaves the senile who don't even know how to install a different browser, let alone configure a different search engine.
(Score: 3, Insightful) by epitaxial on Wednesday September 23 2020, @05:06PM (2 children)
Bing works about as well as google and that isn't saying much. Not a day goes by that I don't have to wrap quotes around a search term because google ignored it.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @08:14PM (1 child)
LOL. With Google, you have yet to notice that the quoted phrase is still often not present in body text? Try it a few times - use a combined unquoted and quoted query (a few terms with one short phrase quoted, don't go crazy), search, pick five results that don't show the quoted text in the preview, and ctrl-f for the phrase you have in quotes - is it in the results each time? It typically is not for me and in fact it's not that uncommon that it's not available through 'view source' at all.
And that includes when I turn on JS and disable XSS-protection.
The easiest example offhand is quora, which has some magnificent brains playing eternal checkers with the search engine tuners, and are many pieces up. I still sometimes fail to url-check or misclick and it's a rare time that the quoted phrase is ctrl-f'able on the page.
(Score: 2) by epitaxial on Thursday September 24 2020, @03:28AM
Oh I've certainly noticed it. The results are mildly related to my terms and always unhelpful.
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 23 2020, @10:15PM
and people with better mind use DDG's .onion link for Tor users:
https://3g2upl4pq6kufc4m.onion/ [3g2upl4pq6kufc4m.onion]
(Score: 0) by Anonymous Coward on Thursday September 24 2020, @12:53AM
Ned: Phil? Hey, Phil? Phil! Phil Connors? Phil Connors, I thought that was you!
Phil: Hi, how you doing? Thanks for watching.
[Starts to walk away]
Ned: Hey, hey! Now, don't you tell me you don't remember me because I sure as heckfire remember you.
Phil: Not a chance.
Ned: Ned... Ryerson. "Needlenose Ned"? "Ned the Head"? C'mon, buddy. Case Western High. Ned Ryerson: I did the whistling belly-button trick at the high school talent show? Bing! Ned Ryerson: got the shingles real bad senior year, almost didn't graduate? Bing, again. Ned Ryerson: I dated your sister Mary Pat a couple times until you told me not to anymore? Well?
Phil: Ned Ryerson?
Ned: Bing!
Phil: Bing.