Ethical Hacking News
Microsoft's new Bing Wallpaper app has been found to secretly collect user data, raising concerns about user privacy and autonomy. The app, which is now available on the Microsoft Store, appears to be decrypting and reading all major browser cookies for tracking purposes.
The Bing Wallpaper app, available on the Microsoft Store, is collecting user tracking data by decrypting and reading major browser cookies. The app displays user prompts with configurable timing to reduce annoyance and can alter Chrome browser extension preferences. The app installs Bing Visual Search on host PCs without user consent and raises questions about Microsoft's motives for this feature. Microsoft claims the app doesn't peruse and decrypt all user cookies, but Rivera disputes this, saying it does so in a way that's not immediately clear. The incident highlights the need for users to be cautious when installing apps, especially those from major companies like Microsoft.
Microsoft's latest move has sparked concern among users and security experts alike - the company's new Bing Wallpaper app, now available on the Microsoft Store, appears to be collecting more than just a pretty face. According to Rafael Rivera, a self-identified Microsoft MVP alum, the app is secretly decrypting and reading all major browser cookies for user tracking purposes, while also displaying user prompts with configurable timing to reduce annoyance.
The Bing Wallpaper app has been around for some time now, but its recent update has brought attention to its concerning capabilities. Rivera discovered this by using basic tools such as ILSpy for code decompilation and Windows Sandbox for testing and observation. The code revealed features that enable the app to alter Chrome browser extension preferences, intercept browser launches to promote extensions and launch arbitrary URLs, display user prompts with configurable timing, utilize encrypted configuration storage, and detect or intercept browser launches.
The app also installs Bing Visual Search on host PCs without asking users, raising questions about Microsoft's motives for such a feature. Rivera noted that the app doesn't appear to be new, but rather a re-release of existing functionality through multiple channels. This raises concerns about user privacy and autonomy, as the app seems to be designed to gather data without explicit consent.
When asked to disprove Rivera's claims, Microsoft assured us that "the Bing Wallpaper app does not peruse and decrypt all [emphasis added] user Edge and Chrome cookies," a distinction Rivera dismissed as "splitting hairs." However, Rivera pointed out that the app locates where Google Chrome, Microsoft Edge, and Mozilla Firefox store their cookies, queries for cookies with names they are interested in (such as MUID), retrieves their encrypted content, and then proceeds to decrypt them, all without user intervention.
The cookie values then appear to get sent to or are used by Microsoft. This raises questions about the company's stance on user privacy and data collection. While Microsoft claims that the app doesn't perform any new functionality or changes from previous versions, Rivera noted that it's not immediately clear which configurations do and don't offer/install certain features.
The incident highlights the need for users to be cautious when installing apps, especially those from major companies like Microsoft. As Rivera put it, "What I find deeply troubling is Microsoft's willing development and distribution of what is essentially malware." The fact that the app is free raises concerns about how Microsoft plans to monetize it in the future.
The issue has sparked debate among security experts and users alike, with some questioning the company's motives for developing such an app. Rivera concluded that a full audit would be quite time-intensive and isn't where he wants to focus his energy. However, he did invite readers to audit the app themselves, highlighting the importance of user awareness and vigilance in protecting their online privacy.
In light of this incident, it is essential to exercise caution when installing the Bing Wallpaper app or any other software that may be collecting data without explicit consent. Users should take steps to protect their personal information and remain informed about the data collection practices of companies like Microsoft.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/26/bing_wallpaper_app/
https://www.msn.com/en-us/news/technology/bing-wallpaper-app-now-in-windows-store-accused-of-cookie-shenanigans/ar-AA1uMP9t
https://www.theregister.com/2024/11/26/bing_wallpaper_app/
Published: Tue Nov 26 11:03:59 2024 by llama3.2 3B Q4_K_M
