Microsoft Tries To Censor Bing Vulnerability

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."

Re:And now thanks to /. and microsoft

[Choozy]

it will probably be all over the rest of the internet and general common knowledge within the week.

The way you phrased this, it would seem to indicate that you are against slashdot for releasing this information. I fail to see how releasing this type of information is a bad thing. You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug. The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author.

Re:How does he know MS isn't doing anything else?

[Anonymous Coward]

Well - first at all they could simply say they will be working on it hm?

And secondly - to assume they are not working on it is just as viable as assuming they are working on it. Without any feedback anything can be assumed. This is why a C&D letter is so harmfull...

Solution

[QuoteMstr]

All Microsoft needed to do was include a Message Authentication Code [wikipedia.org] (such as, say, HMAC-SHA1) in the tracking image URL. Microsoft and the merchant obviously already have a shared secret they can use for the purpose. Using a MAC would have been practically free.

Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age. Whoever wrote the Bing API specification really should have known better.

Re:Solution

[mdenham]

Whoever wrote the Bing API was probably planning on exploiting it in exactly this fashion.

Re:How does he know MS isn't doing anything else?

[neothoron]

Problem is, sending a C&D letter is doubly ineffective:

• it barely has any effect in keeping potential exploiters from getting access to the vulnerability;
• someone who cared enough about MS so that they could better themselves is treated like a nuisance (at best).

In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:

• Ask Samir to remove most of the "sensible" post information - you know, instead of threaten with litigation from the get-go.
• Take an official stance on that problem; what's the risk, who's affected, what should be done - instead of leaving bing cashback clients vulnerable to misinformation and abuse.

Re:And now thanks to /. and microsoft

[BrokenHalo]

The thing that strikes me as odd is why anybody would bother taking the time to meddle with Bing. Does anybody actually use it? Really?

I know Google has its detractors, but surely no more than Microsoft. We can't all be Steve Ballmer...

Re:Solution

[QuoteMstr]

A cleverer backdoor would have been a weak custom MAC (say, just the H(M) + secret). Then it'd still be exploitable, yet not obviously bad.

This article [root.org] goes into the reasons why HMACs are constructed the way they are, and about how naive constructions can be exploited.

Re:How does he know MS isn't doing anything else?

[lkcl]

it's the lack of thought for consequences of censorship that has me confused. in this day and age, with the overwhelming occurrences of embarrassment that occurs repeatedly over censorship attempts and cover-up attempts, surely businesses would work out by now that a "thank you! we'll fix this IMMEDIATELY! and we'll even pay you some money, and, for anyone else who is listening, we'll pay a BOUNTY to anyone else who privately reports security problems in the future!" approach would make them appear to be a much more enlightened and responsible company. ... or am i just expecting too much?

.

Re:How does he know MS isn't doing anything else?

[mister_playboy]

I wrote parking tickets as a job in college... very easy. My rule was to let people go if they showed up during the ticketing, which resolves every single confrontation in a positive way. If I had to call a tow truck on the car, I had to stand my ground, but only once did I encounter someone who showed up during the process and was a real dick about it.

The parking services was second only to tuition and the football team in amount of revenue generated for the school. If anything, I could write more tickets by letting the few people I encountered during my work go and moving on to the 98% of cars whose owners don't show up rather than wasting 20 minutes arguing with each of them.

Easily the least stressful job I've ever had.

Re:And now thanks to /. and microsoft

[QuoteMstr]

Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

And people often do precisely that for affiliate programs. Is it any wonder these programs make up one of the shadier areas of the internet?

Re:And now thanks to /. and microsoft

[commodore64_love]

I just read the Cease-and-desist letter. The proper response to such a thing is to tell the lawyer to "fuck off".

But of course that would merely result in you being drug into court by that lawyer.

Freedom of speech is dead.
Corporations own us. Don't believe me?
Go watch the documentary Food Inc (especially the last half hour).

Re:Mirror

[Skapare]

No, six cents does not prove a damned thing. There might be code in there to flag "high transactions" for further checks. They KNOW their system is insecure and could put that in there to deal with the less common riskier cases. THIS is a test to see if people can steal more than a few cents. That's what counts. If a system would allow people to steal six cents every now and then, but had means to prevent theft beyond that, I would feel safe with it as a merchant. I want to know if it is possible to steal a major amount. This is a test to determine whether or not they have added that additional security for less common transaction.

Oh, I'm sure they will pounce on him like crazy. But that's part of why our legal system is broken. As long as he stops at the point where he proves it is possible to steal a significant amount of money, then it is Microsoft that has committed the crime, and the entire chain of executives that were involved in this should be hauled off to prison for several years for fraud (except those who were already known to be informing the government of this crime taking place).

Re:And now thanks to /. and microsoft

[ShadowRangerRIT]

You know, just because they make it easy doesn't mean it's not hacking. Is it not breaking and entering if a homeowner uses a flimsy lock? (don't get cute and try and say this is no lock at all; it's just a very bad one) If he intentionally exploited this flaw to register fake transactions, then yes, it would be a crime, and for good reason. This isn't some abuse of the hacking law, like trying to nail people for violating the ToS of a site and calling it hacking, this is basically the definition of the term (in the real world; I know some pedants want to call it cracking instead of hacking, but to the non-geek world, it's hacking).

Re:And now thanks to /. and microsoft

[Anonymous Coward]

Right, but that is how the site is structuring the order that /the site/ will send to Paypal; Not relying on the customer to forward the payment information to it through an obscured mechanism. Full Disclosure: I know one of Paypal's security chiefs (And he provides me with free paypal tokens :P); I've read the API, though, and somebody thought it through.

Re:And now thanks to /. and microsoft

[Anonymous Coward]

Pardon me, but it seems from his blog that he DID do it. Any similarity to the child porn case from yesterday is limited at best, illusory at worst. This is a different situation.

Fortunately according to US Jurisprudence, there's a concept called Mens Rea. It's certainly an affirmative defense, but it may serve to eliminate culpability.

Not that the guy didn't behave stupidly in some ways, but that's another matter.

Re:It's called fraud

[Culture20]

In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following: 1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account. 2. Noticed that the cash back did show up with no problem as "available for withdrawal". 3. Tried again with a much larger purchase. Again the purchase shows up in his account. 4. Hacker is hoping that the amount will soon become available for withdrawal.

5. Notified Microsoft about the issue?

Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party. Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants. Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this. So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.

Re:And now thanks to /. and microsoft

[madcow_bg]

Obligatory quote from The Black Adder:

Perkins: Oh, your lawyer now, yes sir. Don't you think that might be a bit
          of a waste of money, sir.

Edmund: Not when he's the finest mind in English legal history. Ever heard
        of Bob Mattingburg?

Perkins: Oh, yes indeed, sir! A most gifted gentleman!

Edmund: I remember Mattingburg's most famous case, the case of the bloody knife.
        A man was found next to a murdured body, he had the knife in his hand,
        thirteen witnesses that seen him stab the victim, when the police
        arrived he said, "I'm glad I killed the bastard." Mattingburg not
        only got him off, but he got him knighted in the New Year's Honors
        list, and the relatives of the victim had to pay to have the blood
        washed out of his jacket.

Re:How does he know MS isn't doing anything else?

[realityimpaired]

I've had to fight parking tickets in court, though, because they were unjustly given... If the parking space says, for example, that street parking is allowed until 4:00pm, and they write a ticket that's dated 4:01, then it's unreasonable... around here, they're supposed to give you 5 minutes' leeway to allow for differences in how your watch is set. (that's actually in the law in this part of the world).

Worse still is the time I was given a $300 parking ticket because the jackass who wrote it was more concerned with meeting his quota than he was looking for the accessible parking permit that was clearly displayed on the dashboard... at least, it was clearly displayed until your view of it was blocked by the parking ticket that the idiot put, quite literally, on top of the accessible parking permit. The ticket wasn't for going over time, it was because my car was parked in a handicapped spot, and he hadn't noticed the permit. That one was resolved by a trip to city hall with both the permit and the ticket, but I shouldn't have had to take an afternoon off work because of a blind parking warden.

I fully agree that parking inspectors do actually do some important work. And I accept that most of them are just trying to do an honest day's work, and trying to actually perform a civic service. But some of the parking wardens are clearly becoming jaded at being the furries of the law-enforcement community, and are taking it out on people by power tripping.

Re:Mirror

[Richy_T]

That does remind me of when I managed a change machine at university. It would change 20p, 50p and £1 coins into 10p pieces. Some bright spark worked out (or heard) that you could wrap a 10p coin with tin foil and put it in the machine. Most times it would recognize the coin as 10 and just spit it out but one time in however many, it would take the coin and give change for 50p.

The fix? The machine had dip switches for what coins it would accept and there was one for 10p that was set to off. I set it to on. The fraudsters would put in their wrapped 10p and receive a nice, shiny unwrapped 10p in change. I saw a few in the collection bin for a couple of weeks and then it stopped.