A Bing cashback vulnerability has been discovered by Samir Meghani of the Bountii Team.The flaw exists due to a software API oversight that allows users to fake transactions to Bing. Currently, Bing does not detect these faked transactions. The flaw affects both the customer and merchant. According to Samir, in his original posting, "merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing." Samir detailed that the process was flawed but didn't pin point exactly how to generate fake transactions.
Bing Cashback is an initiative that pays people to search with Bing. Customers can also get cashback rewards, meaning you could get cashback from online purchases made when Bing is used.
In a follow up post over the weekend entitled "Surrendering to Microsoft", Samir posted a legal letter from Microsoft's legal team demanding he remove the original blog post to which he complied. Microsoft also terminated Samir's Bing cash back account. Some may argue that this is a heavy handed approach but clearly Microsoft doesn't take kindly to fraud.
Thanks to Jugalator for the news tip
"The post is gone. I will still write a “non-technical” post on all the problems I see with Bing Cashback in the next few days."
But despite his benevolence, MS got all ticked off. They should have worked with him to figure out the ins and outs of the error then shut it down, and allow him to continue doing what he was doing as a reward and to stimulate them to fix it quickly. Instead, they vilified him. There is only one option left to him: reveal how to steal money from MS to the rest of the world. They could lose a ton before MS swats the problem.
But despite his benevolence, MS got all ticked off. They should have worked with him to figure out the ins and outs of the error then shut it down, and allow him to continue doing what he was doing as a reward and to stimulate them to fix it quickly. Instead, they vilified him. There is only one option left to him: reveal how to steal money from MS to the rest of the world. They could lose a ton before MS swats the problem.
Yeah, having not seen the blog I can't come to a conclusion on it, but it does seem like he did the right thing. I don't know all the facts though of course, so who knows.
Last edited by GreyWolfSC on 10 Nov 2009 - 15:08
Well, if he's a merchant that uses bing cashback (or whatever the hell that is), it makes more sense that he reports it to microsoft instead of divulging the vulnerability. After all, if he's a merchant it's in his best interest that people don't cheat the whole thing
If he had good intentions he would have reported it directly to Microsoft. Obviously he did not post it with good intentions. Maybe you should open your eyes and realize not everyone these days do things for good.
Microsoft did the right thing, they gave him a chance to take it down before creating any legal action.
So Microsoft can keep their "we have no security problems" track record while blaming everyone else?
Tsk tsk.
Tsk tsk.
What? I would say that reporting it to the company who develops whatever has a security vulnerability, is not only common practice, but appropriate. I see nothing wrong with expecting that at all...
We're not talking about a simple matter of finding a security bug in some app, this bug can be used to basically steal money. It's on a different level, and MS acted in the best interest of themselves and any customers who use the servers and could be taken advantage of.
You don't go arund posting the bank vault code and think no one will care about it.
Sometimes it's not about what is lawful or not, sometimes it's just about what is the right thing to do. He should have told Microsoft privately.
the first part is true, he doesn't have the obligation to report back to microsoft, however he also doesn't have the right to post about it on his blog
Sometimes it's not about what is lawful or not, sometimes it's just about what is the right thing to do. He should have told Microsoft privately.
+1 Exactly.
As far a i know, he has no obligation to whether reporting the bug to microsoft or not, and who care. But by law he can't post in his blog ppl how to steal money. it's consider as fraudent. MS did a right thing, and that was a formal response in regarding to the post on is blog. and MS did gave him a chance to remove it instead, they sueing him for showing ppl how to steal the money.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.