Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Censorship Microsoft Security

Microsoft Tries To Censor Bing Vulnerability 275

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."
This discussion has been archived. No new comments can be posted.

Microsoft Tries To Censor Bing Vulnerability

Comments Filter:
  • by Shadow of Eternity ( 795165 ) on Tuesday November 10, 2009 @02:33AM (#30043076)

    it will probably be all over the rest of the internet and general common knowledge within the week.

    • by u38cg ( 607297 ) <calum@callingthetune.co.uk> on Tuesday November 10, 2009 @02:38AM (#30043094) Homepage
      That seems pretty unlikely to me.

      ~Barbara

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Just wait for it.
        -Barbra

      • Re: (Score:2, Interesting)

        I just read the Cease-and-desist letter. The proper response to such a thing is to tell the lawyer to "fuck off".

        But of course that would merely result in you being drug into court by that lawyer.

        Freedom of speech is dead.
        Corporations own us. Don't believe me?
        Go watch the documentary Food Inc (especially the last half hour).

    • Re: (Score:2, Interesting)

      by Choozy ( 1260872 )

      it will probably be all over the rest of the internet and general common knowledge within the week.

      The way you phrased this, it would seem to indicate that you are against slashdot for releasing this information. I fail to see how releasing this type of information is a bad thing. You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug. The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        The phrasing seemed pretty neutral to me. How would you have phrased it so that it doesn't seem to indicate that it is a bad thing?

        • by Shadow of Eternity ( 795165 ) on Tuesday November 10, 2009 @03:25AM (#30043268)

          GP just wants someone to hate on, you don't get much more neutral in phrasing than that without making a two word post saying only "Streisand effect."

      • Just interested in keeping the extra income 8)

    • by Anonymous Coward on Tuesday November 10, 2009 @04:07AM (#30043428)

      like this you mean?

      Breaking Bing Cashback
      Posted November 4th, 2009 by Samir

      I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.

      First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

      https://ssl.search.live.com/cashback/pixel/index [live.com]?
      jftid=0&jfoid=&jfmid=
      &m[0]=&p[0]=&q[0]=

      This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

      Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

      Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

      • by mcvos ( 645701 ) on Tuesday November 10, 2009 @05:31AM (#30043756)

        Financial transactions based on a tracking pixel? Really? I just don't know where to start to point out how wrong that is.

        PayPal has dozens of different ways to pay, and most of them suck, but at least they don't encourage people to rely on tracking pixels. Either you explicitly send the customer to the payment gateway (including login or entering credit card info there) to authorize the transaction, or you have your own server talk directly to the payment gateway. Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

      • by buchner.johannes ( 1139593 ) on Tuesday November 10, 2009 @06:16AM (#30043946) Homepage Journal

        In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease & desist letter, rather than by fixing the underlying security problem.

        Maybe they are doing both?

        The cease and desist letter seems partially reasonable:

        Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means. Further, on this website you admit that you have personally misused the Cashback program in this regard.

        It's pretty stupid to admit you violate a law on a blog that has your name on it. He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.

    • by theurge14 ( 820596 ) on Tuesday November 10, 2009 @04:11AM (#30043440)

      Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

      • Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

        For all we know, the OP is a proponent of that 'responsible disclosure' nonsense.

      • Re: (Score:3, Informative)

        Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

        It's not nonsense, it's just silly to expect it to be your only line of defense. By all means use an obscure platform, as long as you have people who can maintain and support it, but don't use it as a substitute for some common sense, and for securing your system, keeping it properly maintained and updated, limiting points of entry, blocking remote root access, using non-standard, non-root usernames with very secure passwords for system maintenance/root tasks, etc..

        But security through obscurity does still

  • by blankinthefill ( 665181 ) <blachanc&gmail,com> on Tuesday November 10, 2009 @02:42AM (#30043108) Journal
    I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system? A C&D letter doesn't mean that other actions haven't been taken. Just a thought.
    • No (Score:5, Insightful)

      by oGMo ( 379 ) on Tuesday November 10, 2009 @03:27AM (#30043272)

      If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.

    • Re: (Score:3, Insightful)

      Incompetence is more than an adequate explanation. I, for one, am no longer shocked when huge companies admit to shamefully incompetent wrongdoing. And Microsoft has a history of such blind stupidity, so no surprises there either.
    • Re: (Score:3, Insightful)

      by mcvos ( 645701 )

      Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system?

      How the hell does a C&D prevent assholes from breaking your system? Only fixing your system can do that. They should have sent him a letter expressing their gratitude for pointing out this security hole.

      But more than that, they shouldn't have enabled and encouraged merchants to rely on a horribly insecure payment method.

    • I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system?

      A C&D letter doesn't mean that other actions haven't been taken. Just a thought.

      Obviously it's implied. But I think it's a reasonable implication.
      1) If it was identified already as a problem on Microsoft's side, I don't think they would've gone through all the work to build the system as such. Their documentation indicated that this is how they suggest you setup your transaction. That tells me they thought they had a complete implementation and design.
      2) Is there any indication in the C&D that corrective measures are being taken (other than squelching the whistle-blower)?

  • Mirror (Score:5, Informative)

    by Rufus211 ( 221883 ) <`gro.hsikcah' `ta' `todhsals-sufur'> on Tuesday November 10, 2009 @02:43AM (#30043110) Homepage

    Ive never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Lets see how these transactions might have accidentally got credited to my account.

    First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here [microsoft.com]. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

    https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

    This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. Im not going to explain exactly how to generate the fake requests so that they actually post, but its not complicated. Bing doesnt seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have cleared, and Im guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

    Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I havent done enough work to say it with confidence, but a malicious user might be able to block another users legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order IDs (e.g. sequential), a malicious user can use up all the future order IDs, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

    Based on what Ive found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, Ill demonstrate some other subtle but important reasons to avoid using Bing Cashback.

    It seems like people have still not learned to never trust anything from the user. This reminds me of some trivially exploitable web merchants years ago. The would store the entire shopping basket, including prices, in the user's cookies. User simply modifies their cookies so that everything costs $1 or $0.01 and they could order a dozen cpus / t-shirts / whatever for a few bucks.

    • Re:Mirror (Score:5, Insightful)

      by Rufus211 ( 221883 ) <`gro.hsikcah' `ta' `todhsals-sufur'> on Tuesday November 10, 2009 @02:48AM (#30043136) Homepage

      Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

      • Seems pretty spot-on to me.

      • Re:Mirror (Score:5, Insightful)

        by slimjim8094 ( 941042 ) on Tuesday November 10, 2009 @03:13AM (#30043230)

        Parent is not a troll. This guy is seriously in for it - the FBI et.al frowns upon people who cheat companies out of literally thousands of dollars. The six cents would've been overlooked, and prove the point nicely.

        $2k will certainly not be overlooked. Even if he never collects it... he's still fucked.

        • by Anonymous Coward

          This is no more a cheat than taking someone's money for a shell game and showing them afterwards how they were scammed.

          If he's said "by the way, I managed to get 20 grand off you by this" then he's not defrauded them. If he'd kept quiet THEN he'd have defrauded them.

          • Re: (Score:3, Informative)

            by abigsmurf ( 919188 )
            Admitting a crime does not absolve you of it. In the first example, it's still technically a crime, it's just not worth anybodies time to report and prosecute it.

            This guy has been seriously stupid. Not only is it clearly fraud, he's also up for conspiracy to defraud charges for telling other people how to do this.
        • Re: (Score:3, Interesting)

          by Skapare ( 16644 )

          No, six cents does not prove a damned thing. There might be code in there to flag "high transactions" for further checks. They KNOW their system is insecure and could put that in there to deal with the less common riskier cases. THIS is a test to see if people can steal more than a few cents. That's what counts. If a system would allow people to steal six cents every now and then, but had means to prevent theft beyond that, I would feel safe with it as a merchant. I want to know if it is possible to s

      • Wrong! The feds won't get involved for anything less than $50,000. My company called them once and got turned down flat. They had to wildly exaggerate the amount of losses to get them to investigate.
    • Re:Mirror (Score:5, Funny)

      by TheWizardTim ( 599546 ) on Tuesday November 10, 2009 @03:16AM (#30043242) Journal

      Another fun trick was to take a $1 and a $20 and cut them both in half. Then tape half of the $1 and the $20 to make two $21 dollar bills. Silly I know, but if you put them in a change machine, it would look for the numbers in the corners, it would read a 20 then a 1 and then give you $21 in change. You then took the other part and got $21 in change as well. Quick way to double your money. Now the machines check to make sure that all four numbers on the corners match up.

      • Re:Mirror (Score:5, Insightful)

        by jrumney ( 197329 ) on Tuesday November 10, 2009 @04:07AM (#30043424)

        it would read a 20 then a 1 and then give you $21 in change.

        Sounds like an urban myth to me. Would it add 20 and 20 from the corners of a normal $20 bill and give you $40 change?

        • Re: (Score:3, Insightful)

          by QuoteMstr ( 55051 )

          Maybe one rooted in truth, however. I can imagine a bill-reader using some simple image recognition against just one corner of the bill. You could get two $20 bills that way.

      • Re: (Score:3, Interesting)

        by Richy_T ( 111409 )

        That does remind me of when I managed a change machine at university. It would change 20p, 50p and £1 coins into 10p pieces. Some bright spark worked out (or heard) that you could wrap a 10p coin with tin foil and put it in the machine. Most times it would recognize the coin as 10 and just spit it out but one time in however many, it would take the coin and give change for 50p.

        The fix? The machine had dip switches for what coins it would accept and there was one for 10p that was set to off. I set it t

  • Most entertaining... (Score:5, Informative)

    by netpixie ( 155816 ) on Tuesday November 10, 2009 @02:47AM (#30043130) Homepage

    is the line from the letter

    "cease and desist the posting in any location of the material and information contained in this post"

    Seeing as it is their SDK that contains the details of this "feature", are they going to send themselves a C&D and then pull the SDK?

  • by 1s44c ( 552956 ) on Tuesday November 10, 2009 @03:02AM (#30043180)

    After about 30 years is this still news?

    Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.

    • In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.

      Entirely Microsoft's problem - except it'll become the guy's problem when he gets prosecuted for fraud. Faking a $100k transaction is not a smart move. The $1 transaction is a perfectly fine proof-of-concept.

      • by 1s44c ( 552956 )

        In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.

        They can't even validate user input where failing to do so directly costs them cash. They are not hiding behind some get out of everything license agreement and they still can't do the basics.

    • A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.
      • by 1s44c ( 552956 )

        A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.

        Agreed they are pretty weird. They don't sell software though, they sell the dream of software that 'just works' to people that for the most part don't believe there is an alternative to bug ridden and low quality code.

    • Be fair, they botch the user interface as well.
  • Source of URL (Score:4, Informative)

    by pgn674 ( 995941 ) on Tuesday November 10, 2009 @03:12AM (#30043220) Homepage
    If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?), it looks like page 33 of the linked Integration Guide PDF [microsoft.com] gives the URL https://ssl.bing.com/cashback/javascripts/1x1tracking.js [bing.com]. That JavaScript file has info on constructing that URL.
  • Solution (Score:3, Interesting)

    by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Tuesday November 10, 2009 @03:31AM (#30043284)

    All Microsoft needed to do was include a Message Authentication Code [wikipedia.org] (such as, say, HMAC-SHA1) in the tracking image URL. Microsoft and the merchant obviously already have a shared secret they can use for the purpose. Using a MAC would have been practically free.

    Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age. Whoever wrote the Bing API specification really should have known better.

    • Re: (Score:2, Interesting)

      by mdenham ( 747985 )

      Whoever wrote the Bing API was probably planning on exploiting it in exactly this fashion.

      • Re: (Score:3, Interesting)

        by QuoteMstr ( 55051 )

        A cleverer backdoor would have been a weak custom MAC (say, just the H(M) + secret). Then it'd still be exploitable, yet not obviously bad.

        This article [root.org] goes into the reasons why HMACs are constructed the way they are, and about how naive constructions can be exploited.

    • Can you elaborate on that? The tracking pixels are used to report transactions to Bing's api by having the customers web browser doing a GET request to Bing's cashback server. Since it is all done on the client side, a malicious user could just include the MAC for the merchant in the forged transaction. So I don't see how using a MAC would help at all.
      • Re: (Score:3, Informative)

        by QuoteMstr ( 55051 )

        Can you elaborate on that?

        Sure. A MAC actually can mean two things, depending on context: an algorithm or a value. I'm going to use "MAC" to mean the algorithm, and "authenticator" to refer to the output of the algorithm. YMMV.

        The MAC takes as input the message to be authenticated, M, and a key S. Let's say that M is information about the item to be purchased, and S is a password the merchant set up with Microsoft. Running the MAC on M and S produces A. The sender of the message sends both A and M to the re

    • Re: (Score:3, Informative)

      by Rufus211 ( 221883 )

      It's pretty clear that whoever designed this API didn't even take an passing glance at the security or reliability implications. There are 2 ways (from the linked slides) for a merchant to report cashback activity to MS:

      1) Tracking pixel: this gives instant update to the user, but is completely insecure and also fairly unreliable (image fails to load, cross site https issues, random network hickup, etc).

      2) FTP upload of a plain text list: yes really, plain old FTP. This is at least reliable but is only au

      • The right way: SOAP

        Yep. You don't need SOAP per se, though. The important thing is having the merchant talk directly to Microsoft. Some people are oddly resistant to that notion though, and if you're going to use the tracking pixel approach, you need a MAC.

        That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out. Even something as stupid as end-of-month totals should flag that there are bogus transactions.

        Agr

    • Seriously.... they couldn't possibly assume that their affiliates can program, so the key would have to be in the users' web browser instead of on the affiliates' server.
      • Merchants must at least have some ability to program, otherwise they wouldn't be able to create sites at all. Creating a MAC authenticator isn't hard: all you need to do is call a hash function a few times. But as another poster mentioned, the better thing to do is to just have the merchant talk directly to Microsoft and sidestep the whole problem.

  • mirrored post (Score:3, Informative)

    by lkcl ( 517947 ) <lkcl@lkcl.net> on Tuesday November 10, 2009 @03:59AM (#30043400) Homepage

    http://lkcl.net/reports/bing.censorship.attempt [lkcl.net] - additional mirrors will be added as i find them.

    • I simply screenshot it and uploaded it to an image host. *shrug* The cat is already out of the bag now, and MS will have to fix this.

    • fuck you. do not attempt to censor people's efforts to bring to your
      attention your own stupidity. go fix the problem, and pay the guy who
      found the problem a lot of money, as a thank you.

      Microsoft's standard policy of thank-you for people who help them prevent multi-million losses is a free T-shirt.
      You can't really hope for any better.

  • It's called fraud (Score:5, Insightful)

    by cookd ( 72933 ) <douglascookNO@SPAMjuno.com> on Tuesday November 10, 2009 @05:59AM (#30043866) Journal

    This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.

    Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).

    In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
    1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
    2. Noticed that the cash back did show up with no problem as "available for withdrawal".
    3. Tried again with a much larger purchase. Again the purchase shows up in his account.
    4. Hacker is hoping that the amount will soon become available for withdrawal.

    On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.

    In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

    Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.

    I hate this attitude out there th

    • This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

      Only he's $0.06 was already avalible for withdrawl, i.e it had passed all the checks.

      I hate this attitude out there that "if it isn't nailed down, I have every right to grab it and take it home, and if it is nailed down, I have every right to destroy it". I don't want a world (or even an Internet) where everything is nailed down and/or destroyed.

      Actually i think the attitude is, if you are going to deploy software that deals with real money make it secure, the posting wasn't a "howto steal money from microsoft", it was just a blog post detailing a security flaw. There is a big difference between some blag with pictures of kittens and an online shopping system, implemented by a major IT company, If you can deface the homepage of a major IT company it shows incompete

    • Re:It's called fraud (Score:4, Interesting)

      by Culture20 ( 968837 ) on Tuesday November 10, 2009 @09:11AM (#30045054)

      In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following: 1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account. 2. Noticed that the cash back did show up with no problem as "available for withdrawal". 3. Tried again with a much larger purchase. Again the purchase shows up in his account. 4. Hacker is hoping that the amount will soon become available for withdrawal.

      5. Notified Microsoft about the issue?

      Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party. Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants. Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this. So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.

  • Hey Mercedes! (Score:3, Insightful)

    by tjstork ( 137384 ) <todd.bandrowskyNO@SPAMgmail.com> on Tuesday November 10, 2009 @06:27AM (#30044002) Homepage Journal

    Your car has an exploit, so I stole it and drove it into a wall to prove a point.

  • MS Response (Score:3, Funny)

    by TheVelvetFlamebait ( 986083 ) on Tuesday November 10, 2009 @07:28AM (#30044280) Journal
  • What bing vulnerability?

Avoid strange women and temporary variables.

Working...