2 min read

ICYMI: Sept 21 - Sept 27

ICYMI: Sept 21 - Sept 27

ICYMI is posted every Monday recapping privacy news over the last week from around the web.

Data Leak: Unsecured Server Exposed Bing Mobile App Data

The exposed data includes:‌‌‌‌Search Terms in clear text, excluding the ones entered in private mode‌‌‌‌Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set.‌‌While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.‌‌‌‌The exact time the search was executed.‌‌‌‌Firebase Notification Tokens‌‌‌‌Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was‌‌‌‌A partial list of the URLs the users visited from the search results‌‌‌‌Device (Phone or Tablet) model‌‌‌‌Operating System‌‌‌‌3 separate unique ID numbers assigned to each user found in the data‌‌‌‌ADID: Appears to be a unique ID for a Microsoft account‌‌deviceID‌‌devicehash
[...] Hakcil and his team discovered a 6.5TB server and saw it was growing by as much as 200GB per day. Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk.

If you're a user of Google, Bing, or Yahoo, you want to switch to a private search engine as soon as possible.  Use StartPage if you want Google results or use DuckDuckGo if you prefer Bing/Yahoo.

You can be easily identified based on your "anonymous" searches. The New York Times was able to identify people when AOL released a massive database of searches from their users back in 2006.

The High Privacy Cost of a “Free” Website

We scanned more than 80,000 of the world’s most popular websites with Blacklight and found more than 5,000 were “fingerprinting” users, identifying them even if they block third-party cookies.

We also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page—including scrolls and mouse movements. It’s called “session recording” and we found a higher prevalence of it than researchers had documented before.

More than 200 popular websites used a particularly invasive technique that captures personal information people enter on forms—like names, phone numbers, and passwords—before they hit send. It’s called “key logging” and it’s sometimes done as part of session recording.

A long, but incredibly insightful, read.

Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.