YOUR IT - Technology for you

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

 read more
StumbleUponSubmit to redditShare this on TwitterShare on facebook | Print |PDF 

More From

Why Microsoft was wrong to silence Bing cashback whistleblower

Davey Winder
Wednesday, 11 November 2009 15:41

Your IT - Home IT

Page 1 of 3
If someone spots a potentially costly security hole in your product would you say thanks and fix it, or send in the lawyers? Microsoft opted for the latter, and it was absolutely wrong on this occasion to do so.

Anyone remember the media fanfare that accompanied the launch of the Microsoft Bing search engine last year? Much of it concentrated on the silly Google Killer angle, but a fair chunk was about the user bribery angle.

Microsoft Office 365 Get your free Trial
Essentially, in order to get people to at least come and try the new search engine Microsoft introduced a cashback system which allowed searchers to earn money for every product they purchased when shopping online through Bing.

Unfortunately, and unbeknown to Microsoft, it would appear that there was something of a security hole in the cashback system which potentially left the company open to fraud on a major scale. Nobody likes lawyers, but is it really suprising that Microsoft resorted to using them so quickly in this case? I think so, and am happy to explain why if you will bear with me.

Bing users could, courtesy of a flaw in the software API, create fake transactions to Bing which would go totally undetected by Microsoft. It is not known at this time if anyone has been actively exploiting the vulnerability.

However, one user certainly spotted it and not only worked out how the cashback system could be exploited but went ahead and exploited it, publishing an account on his blog. Samir Meghani said that while he had never actually bought anything using Bing Cashback "the balance of my account is $2,080.06" and called it an "obvious flaw".

What Meghani did not do was show the method of the exploit, indeed he said in a now withdrawn posting "I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated". Which does not sound like a hacking guide to me.

So why did Meghani withdraw his post and what did the Microsoft legal team actually say? More on page 2...

CONTINUES ON NEXT PAGE


Start 1 2 3 Next 

Sponsored Announcements

Kordia To Deploy ComOps Best Practice Safety and Risk Management Platform

David Bass | ComOps, a leading Australian provider of business software products and services, has won a competitive tender to deploy its Salvus safety, r…

You may have missed


Advertisement

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases