No. 1 Story
Construction needs cloud flexibility
Australia’s embattled construction sector could benefit from cloud based information systems that can be switched on and off in lockstep with individual projects – with the exception of those organisations based in remote areas like the Kimberleys.
read moreRelated Articles
Adoption of cloud computing has reached a tipping point - but don’t expect legacy...
In yet another blow to the Facebook IPO this week, following the withdrawal of...
Recruitment technology and social media have played a significant role in growing business in...
A primary school in Queensland is threatening to expel students who use Facebook in...
Facebook has launched an Antivirus Marketplace, initially offering products from Microsoft, McAfee, Trend Micro,...
More From
Why Microsoft was wrong to silence Bing cashback whistleblower
Davey Winder
Wednesday, 11 November 2009 14:41
Page 1 of 3
If someone spots a potentially costly security hole in your product would you say thanks and fix it, or send in the lawyers? Microsoft opted for the latter, and it was absolutely wrong on this occasion to do so. Anyone remember the media fanfare that accompanied the launch of the Microsoft Bing search engine last year? Much of it concentrated on the silly Google Killer angle, but a fair chunk was about the user bribery angle.
Unfortunately, and unbeknown to Microsoft, it would appear that there was something of a security hole in the cashback system which potentially left the company open to fraud on a major scale. Nobody likes lawyers, but is it really suprising that Microsoft resorted to using them so quickly in this case? I think so, and am happy to explain why if you will bear with me.
Bing users could, courtesy of a flaw in the software API, create fake transactions to Bing which would go totally undetected by Microsoft. It is not known at this time if anyone has been actively exploiting the vulnerability.
However, one user certainly spotted it and not only worked out how the cashback system could be exploited but went ahead and exploited it, publishing an account on his blog. Samir Meghani said that while he had never actually bought anything using Bing Cashback "the balance of my account is $2,080.06" and called it an "obvious flaw".
What Meghani did not do was show the method of the exploit, indeed he said in a now withdrawn posting "I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated". Which does not sound like a hacking guide to me.
So why did Meghani withdraw his post and what did the Microsoft legal team actually say? More on page 2...
CONTINUES ON NEXT PAGE
You think you have a disaster recovery plan?
Think again. Most businesses only have PART of a DR plan - and this spells business disaster in the event of an IT disaster.
Download The Seven Sins of Disaster Recovery White Paper now and find out how you can prevent this happening to you.
