Unfortunately, and unbeknown to Microsoft, it would appear that there was something of a security hole in the cashback system which potentially left the company open to fraud on a major scale. Nobody likes lawyers, but is it really suprising that Microsoft resorted to using them so quickly in this case? I think so, and am happy to explain why if you will bear with me.
Bing users could, courtesy of a flaw in the software API, create fake transactions to Bing which would go totally undetected by Microsoft. It is not known at this time if anyone has been actively exploiting the vulnerability.
However, one user certainly spotted it and not only worked out how the cashback system could be exploited but went ahead and exploited it, publishing an account on his blog. Samir Meghani said that while he had never actually bought anything using Bing Cashback "the balance of my account is $2,080.06" and called it an "obvious flaw".
What Meghani did not do was show the method of the exploit, indeed he said in a now withdrawn posting "I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated". Which does not sound like a hacking guide to me.
So why did Meghani withdraw his post and what did the Microsoft legal team actually say? More on page 2...
CONTINUES ON NEXT PAGE
So why did he withdraw that post? The letter he received from a law firm representing Microsoft is the answer. You can read the letter in full here but it basically states that Meghani was operating web pages which "are violating Microsoft's rights".
Meghani says that the "purpose of my post was to show an implementation problem, not to encourage defrauding Microsoft" and that the information he did post was "obvious to anyone reading their documentation".
He also admits that he doesn't like dealing with lawyers and so opted to comply with the takedown request. "I will still write a “non-technical” post on all the problems I see with Bing Cashback in the next few days" a niggled Meghani writes.
So what exactly is going on here? Usually the big legal guns are reserved for the real bad guys, and both Microsoft and its lawyers must have know Meghani would go public with this letter and so fan the flames of a bad media fire storm.
I suspect that a couple of things come into play here: firstly, Meghani made the mistake of admitting to the misuse of the Cashback scheme in order to illegally place a couple of thousand dollars in his account.
Microsoft argues, with some hefty legal justification, that this amounts to a violation of the US Federal Computer Fraud & Abuse Act as well as (undisclosed) common law principles under state law.
It seems to me that Microsoft allowed for the fact that the alleged fraud was committed as part of a vulnerability exposure as that lawyers letter states the company "would genuinely like to resolve this matter without the need for any enforcement action".
So, has Microsoft been guilty of simply trying to cover its own back, or is there more to it than that? More on page 3...
CONTINUES ON NEXT PAGE
Sure, there is always going to be a large dose of 'covering my own back' involved in such legal medicine when a potentially costly, in terms of both money and media coverage, vulnerability is publicly exposed like this.
But Meghani is not a professional security researcher. In fact he is the co-founder or a price search comparison site called Bountii, and the blog which disclosed the Bing Cashback vulnerability was published on the Bountii site.
Could it be that Microsoft was more than usually miffed by the disclosure because it was being disclosed by a competitor, albeit a relative small fry in the scheme of things?
That's how it appears to play out to me, and wearing both my IT Security Consultant and Journalist hats my advice would have been to work with Meghani to correct the flaw and come out of this with some kudos.
If Meghani had published a step-by-step guide to defrauding Microsoft using the Bing Cashback program then he would deserve all he gets, but he did not and has been treated roughly in my view.
Microsoft once again looks like a bully. It has used an itchy trigger finger to fire the big legal guns at some small fish in a big pond, and the ripples are going to last for quite some time I would imagine.