Neowin.net

Bing cashback exploit discovered, Microsoft sends in lawyers

By Tom Warren, 10 November 2009 - 14:09 29 comments

A Bing cashback vulnerability has been discovered by Samir Meghani of the Bountii Team.

The flaw exists due to a software API oversight that allows users to fake transactions to Bing. Currently, Bing does not detect these faked transactions. The flaw affects both the customer and merchant. According to Samir, in his original posting, "merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing." Samir detailed that the process was flawed but didn't pin point exactly how to generate fake transactions.

Bing Cashback is an initiative that pays people to search with Bing. Customers can also get cashback rewards, meaning you could get cashback from online purchases made when Bing is used.

In a follow up post over the weekend entitled "Surrendering to Microsoft", Samir posted a legal letter from Microsoft's legal team demanding he remove the original blog post to which he complied. Microsoft also terminated Samir's Bing cash back account. Some may argue that this is a heavy handed approach but clearly Microsoft doesn't take kindly to fraud.

Thanks to Jugalator for the news tip

Comments (29)

SmNet - 10 November 2009 - 14:12

lol now lets see how he reacts
+Northgrove - 10 November 2009 - 15:57

He pulled his blog post, and MS shut down his account. I don't think more will happen here.
SmNet - 10 November 2009 - 18:54

actually!
"The post is gone. I will still write a â��non-technicalâ�� post on all the problems I see with Bing Cashback in the next few days."
MaJoR - 10 November 2009 - 21:59

He was making money with this error, and nice enough to point it out and not reveal how to do it. If I was making money from a website the last thing I would do is tell the site it was broken! So he did something very nice by pointing the out the error.
But despite his benevolence, MS got all ticked off. They should have worked with him to figure out the ins and outs of the error then shut it down, and allow him to continue doing what he was doing as a reward and to stimulate them to fix it quickly. Instead, they vilified him. There is only one option left to him: reveal how to steal money from MS to the rest of the world. They could lose a ton before MS swats the problem.
M_Lyons10 - 11 November 2009 - 02:17

MaJoR said,
He was making money with this error, and nice enough to point it out and not reveal how to do it. If I was making money from a website the last thing I would do is tell the site it was broken! So he did something very nice by pointing the out the error.
But despite his benevolence, MS got all ticked off. They should have worked with him to figure out the ins and outs of the error then shut it down, and allow him to continue doing what he was doing as a reward and to stimulate them to fix it quickly. Instead, they vilified him. There is only one option left to him: reveal how to steal money from MS to the rest of the world. They could lose a ton before MS swats the problem.
Yeah, having not seen the blog I can't come to a conclusion on it, but it does seem like he did the right thing. I don't know all the facts though of course, so who knows.
GreyWolf - 10 November 2009 - 14:26

I don't think responding to fraud is "heavy handed."
M_Lyons10 - 11 November 2009 - 02:18

No, if that was in fact what was occurring, I see nothing wrong with the response. We don't of course know what the situation entailed. It seems like the assumption (As it tends to be) is that Microsoft is just wrong... LOL
SojIrOu - 10 November 2009 - 14:28

I spot a typo in the letter. lol.
BaZurk - 10 November 2009 - 14:33

You have to love Microsoft I personally love their software but hate when they act like this. Fix the damn mistake and dont jump down the guys throat who caught it or next time he wont bother to post it, just exploit it.
Julius Caro - 10 November 2009 - 14:39

BaZurk said,
You have to love Microsoft I personally love their software but hate when they act like this. Fix the damn mistake and dont jump down the guys throat who caught it or next time he wont bother to post it, just exploit it.
Well, if he's a merchant that uses bing cashback (or whatever the hell that is), it makes more sense that he reports it to microsoft instead of divulging the vulnerability. After all, if he's a merchant it's in his best interest that people don't cheat the whole thing
DarkNovaGamer - 10 November 2009 - 19:01

BaZurk said,
You have to love Microsoft I personally love their software but hate when they act like this. Fix the damn mistake and dont jump down the guys throat who caught it or next time he wont bother to post it, just exploit it.
If he had good intentions he would have reported it directly to Microsoft. Obviously he did not post it with good intentions. Maybe you should open your eyes and realize not everyone these days do things for good.
Microsoft did the right thing, they gave him a chance to take it down before creating any legal action.
daPhoenix - 10 November 2009 - 20:10

DarkNovaGamer said,
If he had good intentions he would have reported it directly to Microsoft.

So Microsoft can keep their "we have no security problems" track record while blaming everyone else?
Tsk tsk.
M_Lyons10 - 11 November 2009 - 02:20

daPhoenix said,
So Microsoft can keep their "we have no security problems" track record while blaming everyone else?
Tsk tsk.
What? I would say that reporting it to the company who develops whatever has a security vulnerability, is not only common practice, but appropriate. I see nothing wrong with expecting that at all...
+Anarkii - 10 November 2009 - 14:46

If I ever got a letter like that from lawyers in the USA id reply to them in the same fashion as the pirate bay did lol. But then again I dont live in America where they actually can make good on the threats carried within...
XerXis - 10 November 2009 - 14:53

standard response from Microsoft (and imho nothing wrong with it) he should have reported the bug to microsoft instead of posting about on his blog.
DomZ - 10 November 2009 - 15:39

He has no obligation to report the bug to microsoft, and as far as I am concerned he can post whatever he likes on his blog.
GP007 - 10 November 2009 - 16:12

So if he happend to come accross some private data about you or others and just decided to post it on his blog that'd be fine right?

We're not talking about a simple matter of finding a security bug in some app, this bug can be used to basically steal money. It's on a different level, and MS acted in the best interest of themselves and any customers who use the servers and could be taken advantage of.

You don't go arund posting the bank vault code and think no one will care about it.
Nick Brunt - 10 November 2009 - 16:19

+1 to GP007.
Sometimes it's not about what is lawful or not, sometimes it's just about what is the right thing to do. He should have told Microsoft privately.
XerXis - 10 November 2009 - 17:13

DomZ said,
He has no obligation to report the bug to microsoft, and as far as I am concerned he can post whatever he likes on his blog.

the first part is true, he doesn't have the obligation to report back to microsoft, however he also doesn't have the right to post about it on his blog
M_Lyons10 - 11 November 2009 - 02:24

Nick Brunt said,
+1 to GP007.
Sometimes it's not about what is lawful or not, sometimes it's just about what is the right thing to do. He should have told Microsoft privately.
+1 Exactly.