Last Friday Stanford security researcher Elie Bursztein announced that in the course of preparing for his upcoming Black Hat talk on computer forensics he stumbled across a serious privacy issue in Microsoft's geolocation API.
Google, Microsoft and Apple all collect information about Wi-Fi hotspots and their location using consumer smartphones and other methods. This data is used to make it easier for location-based services to function when GPS is not available.
Security researchers have previously shown that Google's geolocation API can be abused to track wireless devices after their MAC addresses. This prompted the company to introduce a filter that requires queries to contain two nearby MAC addresses instead of one.
But Microsoft kept its Live Location API open. "To my surprise Microsoft’s API did not enforce any query restrictions. You can get the location for a single MAC address and do as many queries as you want" the researcher wrote on his blog.
And while at first Microsoft informed him that they don't have a problem with this the company changed its mind after the media learned about the privacy issue. Earlier this week the software giant restricted its API in a way similar to Google's and thanked the security researchers in Bursztein's team for reporting the problem.
"This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted" the company explained.
"Microsoft is keenly aware of the sensitivity around all privacy issues especially those surrounding geolocation. Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings" it added.