ICYMI is posted every Monday recapping privacy news over the last week from around the web.
The exposed data includes:Search Terms in clear text, excluding the ones entered in private modeLocation Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set.While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.The exact time the search was executed.Firebase Notification TokensCoupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it wasA partial list of the URLs the users visited from the search resultsDevice (Phone or Tablet) modelOperating System3 separate unique ID numbers assigned to each user found in the dataADID: Appears to be a unique ID for a Microsoft accountdeviceIDdevicehash
[...] Hakcil and his team discovered a 6.5TB server and saw it was growing by as much as 200GB per day. Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk.
You can be easily identified based on your "anonymous" searches. The New York Times was able to identify people when AOL released a massive database of searches from their users back in 2006.
We scanned more than 80,000 of the world’s most popular websites with Blacklight and found more than 5,000 were “fingerprinting” users, identifying them even if they block third-party cookies.
We also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page—including scrolls and mouse movements. It’s called “session recording” and we found a higher prevalence of it than researchers had documented before.
More than 200 popular websites used a particularly invasive technique that captures personal information people enter on forms—like names, phone numbers, and passwords—before they hit send. It’s called “key logging” and it’s sometimes done as part of session recording.
A long, but incredibly insightful, read.
Want to join the discussion? Check out this post, and others, over at the CupWire subreddit and leave a comment.