Bing cashback exploit discovered, Microsoft sends in lawyers

A Bing cashback vulnerability has been discovered by Samir Meghani of the Bountii Team.

The flaw exists due to a software API oversight that allows users to fake transactions to Bing. Currently, Bing does not detect these faked transactions. The flaw affects both the customer and merchant. According to Samir, in his original posting, "merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing." Samir detailed that the process was flawed but didn't pin point exactly how to generate fake transactions.

Bing Cashback is an initiative that pays people to search with Bing. Customers can also get cashback rewards, meaning you could get cashback from online purchases made when Bing is used.

In a follow up post over the weekend entitled "Surrendering to Microsoft", Samir posted a legal letter from Microsoft's legal team demanding he remove the original blog post to which he complied. Microsoft also terminated Samir's Bing cash back account. Some may argue that this is a heavy handed approach but clearly Microsoft doesn't take kindly to fraud.

Thanks to Jugalator for the news tip

Report a problem with article
Previous Story

TechSpot: Acer Timeline 14" 4810T Notebook Review

Next Story

Microsoft Windows 7 download tool may have violated GPL

28 Comments

Commenting is disabled on this article.

this show how stupid he was.

As far a i know, he has no obligation to whether reporting the bug to microsoft or not, and who care. But by law he can't post in his blog ppl how to steal money. it's consider as fraudent. MS did a right thing, and that was a formal response in regarding to the post on is blog. and MS did gave him a chance to remove it instead, they sueing him for showing ppl how to steal the money.

Maybe Microsoft should remove the cached page from Bing? I can still see how to do it, all thanks to Microsoft themselves :P

standard response from Microsoft (and imho nothing wrong with it) he should have reported the bug to microsoft instead of posting about on his blog.

He has no obligation to report the bug to microsoft, and as far as I am concerned he can post whatever he likes on his blog.

So if he happend to come accross some private data about you or others and just decided to post it on his blog that'd be fine right?

We're not talking about a simple matter of finding a security bug in some app, this bug can be used to basically steal money. It's on a different level, and MS acted in the best interest of themselves and any customers who use the servers and could be taken advantage of.

You don't go arund posting the bank vault code and think no one will care about it.

+1 to GP007.

Sometimes it's not about what is lawful or not, sometimes it's just about what is the right thing to do. He should have told Microsoft privately.

DomZ said,
He has no obligation to report the bug to microsoft, and as far as I am concerned he can post whatever he likes on his blog.


the first part is true, he doesn't have the obligation to report back to microsoft, however he also doesn't have the right to post about it on his blog

Nick Brunt said,
+1 to GP007.

Sometimes it's not about what is lawful or not, sometimes it's just about what is the right thing to do. He should have told Microsoft privately.

+1 Exactly.

If I ever got a letter like that from lawyers in the USA id reply to them in the same fashion as the pirate bay did lol. But then again I dont live in America where they actually can make good on the threats carried within...

You have to love Microsoft I personally love their software but hate when they act like this. Fix the damn mistake and dont jump down the guys throat who caught it or next time he wont bother to post it, just exploit it.

BaZurk said,
You have to love Microsoft I personally love their software but hate when they act like this. Fix the damn mistake and dont jump down the guys throat who caught it or next time he wont bother to post it, just exploit it.

Well, if he's a merchant that uses bing cashback (or whatever the hell that is), it makes more sense that he reports it to microsoft instead of divulging the vulnerability. After all, if he's a merchant it's in his best interest that people don't cheat the whole thing

BaZurk said,
You have to love Microsoft I personally love their software but hate when they act like this. Fix the damn mistake and dont jump down the guys throat who caught it or next time he wont bother to post it, just exploit it.

If he had good intentions he would have reported it directly to Microsoft. Obviously he did not post it with good intentions. Maybe you should open your eyes and realize not everyone these days do things for good.

Microsoft did the right thing, they gave him a chance to take it down before creating any legal action.

DarkNovaGamer said,
If he had good intentions he would have reported it directly to Microsoft.

So Microsoft can keep their "we have no security problems" track record while blaming everyone else?

Tsk tsk.

daPhoenix said,
So Microsoft can keep their "we have no security problems" track record while blaming everyone else?

Tsk tsk.

What? I would say that reporting it to the company who develops whatever has a security vulnerability, is not only common practice, but appropriate. I see nothing wrong with expecting that at all...

No, if that was in fact what was occurring, I see nothing wrong with the response. We don't of course know what the situation entailed. It seems like the assumption (As it tends to be) is that Microsoft is just wrong... LOL

actually!

"The post is gone. I will still write a “non-technical” post on all the problems I see with Bing Cashback in the next few days."

He was making money with this error, and nice enough to point it out and not reveal how to do it. If I was making money from a website the last thing I would do is tell the site it was broken! So he did something very nice by pointing the out the error.

But despite his benevolence, MS got all ticked off. They should have worked with him to figure out the ins and outs of the error then shut it down, and allow him to continue doing what he was doing as a reward and to stimulate them to fix it quickly. Instead, they vilified him. There is only one option left to him: reveal how to steal money from MS to the rest of the world. They could lose a ton before MS swats the problem.

MaJoR said,
He was making money with this error, and nice enough to point it out and not reveal how to do it. If I was making money from a website the last thing I would do is tell the site it was broken! So he did something very nice by pointing the out the error.

But despite his benevolence, MS got all ticked off. They should have worked with him to figure out the ins and outs of the error then shut it down, and allow him to continue doing what he was doing as a reward and to stimulate them to fix it quickly. Instead, they vilified him. There is only one option left to him: reveal how to steal money from MS to the rest of the world. They could lose a ton before MS swats the problem.

Yeah, having not seen the blog I can't come to a conclusion on it, but it does seem like he did the right thing. I don't know all the facts though of course, so who knows.