Forgot your password?
typodupeerror
Censorship Microsoft Security

Microsoft Tries To Censor Bing Vulnerability 275

Posted by kdawson
from the don't-shout-and-wave-it-about dept.
An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."
This discussion has been archived. No new comments can be posted.

Microsoft Tries To Censor Bing Vulnerability

Comments Filter:
  • by Shadow of Eternity (795165) on Tuesday November 10, 2009 @03:33AM (#30043076)

    it will probably be all over the rest of the internet and general common knowledge within the week.

  • by blankinthefill (665181) <blachanc&gmail,com> on Tuesday November 10, 2009 @03:42AM (#30043108) Journal
    I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system? A C&D letter doesn't mean that other actions haven't been taken. Just a thought.
  • Quote (Score:3, Insightful)

    by QuoteMstr (55051) <dan.colascione@gmail.com> on Tuesday November 10, 2009 @03:48AM (#30043132)

    Regarding the tracking pixel approach: H.L. Mencken once wrote, "there is always a well-known solution to every human problem -- neat, plausible, and wrong." I cannot think of a situation to which this sentiment better applies.

  • Re:Mirror (Score:5, Insightful)

    by Rufus211 (221883) <rufus-slashdot&hackish,org> on Tuesday November 10, 2009 @03:48AM (#30043136) Homepage

    Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

  • by 1s44c (552956) on Tuesday November 10, 2009 @04:02AM (#30043180)

    After about 30 years is this still news?

    Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.

  • by Anonymous Coward on Tuesday November 10, 2009 @04:13AM (#30043226)

    The phrasing seemed pretty neutral to me. How would you have phrased it so that it doesn't seem to indicate that it is a bad thing?

  • Re:Mirror (Score:5, Insightful)

    by slimjim8094 (941042) <slashdot3@@@justconnected...net> on Tuesday November 10, 2009 @04:13AM (#30043230)

    Parent is not a troll. This guy is seriously in for it - the FBI et.al frowns upon people who cheat companies out of literally thousands of dollars. The six cents would've been overlooked, and prove the point nicely.

    $2k will certainly not be overlooked. Even if he never collects it... he's still fucked.

  • by Shadow of Eternity (795165) on Tuesday November 10, 2009 @04:25AM (#30043268)

    GP just wants someone to hate on, you don't get much more neutral in phrasing than that without making a two word post saying only "Streisand effect."

  • No (Score:5, Insightful)

    by oGMo (379) on Tuesday November 10, 2009 @04:27AM (#30043272)

    If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.

  • by MadnessASAP (1052274) <madnessasap@gmail.com> on Tuesday November 10, 2009 @04:29AM (#30043282)

    Ever heard of the Streisand effect? If you're trying to suppress information about something a C&D is the last thing you want to do. Furthermore many companies when put in an identical situation will respond with "Thank you we are aware of the problem and are currently working on it" rather then a C&D.

    Also you sound like a schizophrenic jackass.

  • by Chrisq (894406) on Tuesday November 10, 2009 @04:36AM (#30043302)
    If they had any sense they would have anticipated the Streisand affect. It would have been much more effective to tell him the situation, ask him to remove the post and offer him whatever they paid their lawyers to issue the injunction as a "good will" gesture. That way if he did release it then he'd look like an @sshole rather than a victim.
  • by value_added (719364) on Tuesday November 10, 2009 @04:55AM (#30043386)

    As to your first point, most business are very secrative about potentially damaging things. I don't understand why it's surprising when MS acts just like every other large corporation in protecting itself.

    It's a truism, if not a cliche, to point out business are secretive about potentially damaging things.

    The difference here is that the scope of damage extends outside narrow corporate concerns. In such situations, it's both fair and reasonable for customers to expect a certain level of transparency. In many industries, disclosures that negatively affect third parties are mandated by law (cue the car analogies).

    Microsoft has chosen, in historically typical fashion, the complete opposite of transparency. The criticisms are well deserved.

  • by Anonymous Coward on Tuesday November 10, 2009 @04:59AM (#30043398)

    C&Ds do work in two cases:

    The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

    The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

    Don't underestimate the power of lawyers. They have the guys with guns on their side.

    [1]: I have DDL, or direct download in quotes because I have yet to personally see a usable direct download other than a Trojan or a drive by browser exploit in all my years of cleaning malware off of people's PCs who do believe in such fantasies.

    [2]: Yes, I know Abloy locks are unbumpable because of their design, but it is a good example. I don't know anything that defeats their latest PROTEC line of locks other than 12-14 hours of painstaking picking by dedicated speedpickers, or a good long session drilling the sucker out.

  • Re:Mirror (Score:5, Insightful)

    by jrumney (197329) on Tuesday November 10, 2009 @05:07AM (#30043424) Homepage

    it would read a 20 then a 1 and then give you $21 in change.

    Sounds like an urban myth to me. Would it add 20 and 20 from the corners of a normal $20 bill and give you $40 change?

  • Re:Mirror (Score:3, Insightful)

    by QuoteMstr (55051) <dan.colascione@gmail.com> on Tuesday November 10, 2009 @05:09AM (#30043432)

    Maybe one rooted in truth, however. I can imagine a bill-reader using some simple image recognition against just one corner of the bill. You could get two $20 bills that way.

  • by theurge14 (820596) on Tuesday November 10, 2009 @05:11AM (#30043440)

    Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

  • by Anonymous Coward on Tuesday November 10, 2009 @06:00AM (#30043646)

    This is no more a cheat than taking someone's money for a shell game and showing them afterwards how they were scammed.

    If he's said "by the way, I managed to get 20 grand off you by this" then he's not defrauded them. If he'd kept quiet THEN he'd have defrauded them.

  • by DNS-and-BIND (461968) on Tuesday November 10, 2009 @06:20AM (#30043730) Homepage
    Incompetence is more than an adequate explanation. I, for one, am no longer shocked when huge companies admit to shamefully incompetent wrongdoing. And Microsoft has a history of such blind stupidity, so no surprises there either.
  • by mcvos (645701) on Tuesday November 10, 2009 @06:31AM (#30043756)

    Financial transactions based on a tracking pixel? Really? I just don't know where to start to point out how wrong that is.

    PayPal has dozens of different ways to pay, and most of them suck, but at least they don't encourage people to rely on tracking pixels. Either you explicitly send the customer to the payment gateway (including login or entering credit card info there) to authorize the transaction, or you have your own server talk directly to the payment gateway. Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

  • by mcvos (645701) on Tuesday November 10, 2009 @06:35AM (#30043768)

    and as a lawyer who sends C&Ds for a living...

    Wow, that's sad. That's almost like admitting to being a parking inspector...

    Parking inspectors do important work. They keep parking spaces available for those who really need them. I feel sorry for the abuse they sometimes get.

  • by mcvos (645701) on Tuesday November 10, 2009 @06:39AM (#30043790)

    Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system?

    How the hell does a C&D prevent assholes from breaking your system? Only fixing your system can do that. They should have sent him a letter expressing their gratitude for pointing out this security hole.

    But more than that, they shouldn't have enabled and encouraged merchants to rely on a horribly insecure payment method.

  • It's called fraud (Score:5, Insightful)

    by cookd (72933) <douglascook@juno.cCOLAom minus caffeine> on Tuesday November 10, 2009 @06:59AM (#30043866) Journal

    This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.

    Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).

    In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
    1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
    2. Noticed that the cash back did show up with no problem as "available for withdrawal".
    3. Tried again with a much larger purchase. Again the purchase shows up in his account.
    4. Hacker is hoping that the amount will soon become available for withdrawal.

    On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.

    In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

    Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.

    I hate this attitude out there th

  • by buchner.johannes (1139593) on Tuesday November 10, 2009 @07:16AM (#30043946) Homepage Journal

    In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease & desist letter, rather than by fixing the underlying security problem.

    Maybe they are doing both?

    The cease and desist letter seems partially reasonable:

    Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means. Further, on this website you admit that you have personally misused the Cashback program in this regard.

    It's pretty stupid to admit you violate a law on a blog that has your name on it. He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.

  • Hey Mercedes! (Score:3, Insightful)

    by tjstork (137384) <todd.bandrowsky@ ... Dl.com minus bsd> on Tuesday November 10, 2009 @07:27AM (#30044002) Homepage Journal

    Your car has an exploit, so I stole it and drove it into a wall to prove a point.

  • Re:Mirror (Score:3, Insightful)

    by Shrike82 (1471633) on Tuesday November 10, 2009 @07:57AM (#30044140)
    I do love the way vague ramblings about evil corporations and the FBI (CIA or NSA would also have been acceptable) automatically gets moderated Insightful. Way to use those mod points my friend...
  • by vadim_t (324782) on Tuesday November 10, 2009 @08:06AM (#30044176) Homepage

    The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

    That's until it reappears on some site hosted in China or random servers that were broken into.

    The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

    So great job, you managed to keep the information from the sysadmins and other upstanding people, but it's still available in the dark corners of the net, where people with questionable motivations can still get at it.

    Now for the company it's all good, but from the global point of view, things are worse than before.

    Don't underestimate the power of lawyers. They have the guys with guns on their side.

    Yep, that worked really well with the AACS key.

  • by Homburg (213427) on Tuesday November 10, 2009 @09:00AM (#30044468) Homepage

    I'm not sure how this is a sensible response to a poster complaining about security through obscurity: security through obscurity is exactly the problem here. We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft. The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.

  • Simultaneously, they keep the taxes down for those of us that pay the meter.

  • Re:Mirror (Score:2, Insightful)

    by AvitarX (172628) <<gro.derdnuheniwydnarb> <ta> <em>> on Tuesday November 10, 2009 @09:41AM (#30044756) Journal

    Well, in his defense he did publish what he did before receiving the money.

    And the 100k transaction was probably the quickest way to actually get noticed, and therefore let them know about the problem.

  • Search for "Streisand Effect" [wikipedia.org] Barbra Streisand sued to prevent publication of some pictures; as a result, it became newsworthy.
  • by commodore64_love (1445365) on Tuesday November 10, 2009 @10:03AM (#30044952) Journal

    Your comment about the "bloody knife in your hand" reminds me of a recent case in Baltimore. A man was presumed guilty and spent over 20 years in jail, because he was at the scene of the crime, and he *looked* guilty. But then a test was performed, and it was discovered that the DNA left-behind by the murderer (on the knife) was not the man in prison. Baltimore had caused an innocent man to lose 20+ years of his life.

    This type of thing happens a LOT. We shouldn't be presuming guilt. We should be presuming innocence. Just because you have a knife in your hand, or child images on your PC, or $2000 suddenly appeared in your Bing Cash account, doe snot mean you committed the crime. You could have been framed (malware) or mistakenly identified (your neighbor downloaded the stolen songs, not you) or whatever.

    The onus should be on the prosecutor, not to just provide evidence, but also proof that YOU committed the actual act. If he can't do the latter then you should presumed innocent and freed.

  • by FlyingBishop (1293238) on Tuesday November 10, 2009 @10:28AM (#30045224)

    No, you get more neutral in tone by not blaming /. as you did in the title. If you had simply said "And now it will be all over the net." That would be neutral. However, you specifically chose to call out Slashdot and Microsoft as responsible for the Streisand Effect.

  • by FooAtWFU (699187) on Tuesday November 10, 2009 @11:01AM (#30045626) Homepage
    Heck, publicizing the thing is a pretty good show of his intent. If he'd wanted to defraud Microsoft, he'd be keeping quiet about it. This is pretty clearly about disclosing a vulnerability, not "bragging" about defrauding a large corporation.
  • by ZorinLynx (31751) on Tuesday November 10, 2009 @11:05AM (#30045690) Homepage

    This reminds me of Warbird Adventures, an outfit here in FL that offered "experience" flights in WWII era trainers.

    Back in 2005, one of their aircraft broke apart in flight and instructor and student were both killed.

    Did they even post a tiny memorial on the site? Nope. Bad for business. But the disrespect shown for their former employee and customer was enough to keep me from ever recommending them again.

    A little sympathy goes a long way towards a good reputation. The world isn't perfect, and there's no way they could have known about the structural flaw that caused the breakup. (the NTSB did not hold WA liable). Yet their complete cover-up of the incident on their own site has created a lot of resentment in my case.

    Especially since the aircraft that broke up in flight was the one I had flown in months earlier, and the instructor who was killed was with me on my flight.

    Companies need to be more open about these things.

  • by Dishevel (1105119) * on Tuesday November 10, 2009 @12:12PM (#30046622)
    Time to burn some karma. I know this is flamebait but I feel the need.

    No, you get more neutral in tone by not blaming /. as you did in the title. If you had simply said "And now it will be all over the net." That would be neutral. However, you specifically chose to call out Slashdot and Microsoft as responsible for the Streisand Effect.

    Slashdot is running the story that Microsoft is trying to hide. Therefore they are in fact RESPONSIBLE.

    You are an idiot and need to STFU and go away for the day.

  • by amicusNYCL (1538833) on Tuesday November 10, 2009 @12:24PM (#30046836)

    This is pretty clearly about disclosing a vulnerability, not "bragging" about defrauding a large corporation.

    That doesn't change the fact that he did indeed defraud Microsoft and that he also intended to do it. That's something he could easily get convicted on. It doesn't really matter why he defrauded them, if he did so and intended to then he's guilty of the crime.

  • by shutdown -p now (807394) on Tuesday November 10, 2009 @01:32PM (#30048076) Journal

    Microsoft Research is not "people working for Microsoft", it's "people are paid by Microsoft not to work for Microsoft's competitors". Not a single meaningful Microsoft product or feature came from there.

    Huge chunks of .NET came out of MSR - generics, LINQ, etc. F# came out of MSR. If I remember correctly, Surface came out of MSR.

    Truth is, a lot of stuff actually does come out of there, but it changes a fair bit when it's being "productized". It's certainly rare to get full products like that (F# is a notable exception), but specific features and ideas are often integrated into shipping products.

    On the other hand, I'm not sure what you mean by "not working for competitors". Is Haskell a competitor to Microsoft tech? I'd say so - it not a Microsoft-backed language, it portably runs on non-MS platforms (Linux, OS X), and a large number of people who use it tend to be affiliated with FLOSS. And yet, Simon Peyton Jones is one of the lead developers of Glasgow Haskell Compiler (GHC), and he's on MSR payroll.

  • by BattyMan (21874) on Tuesday November 10, 2009 @01:47PM (#30048354) Journal

    I swear. Moderators can't read a /sarcasm tag anymore?

    Posting anonymously, for obvious reasons....

One picture is worth 128K words.

Working...