JUser: :_load: Unable to load user with ID: 3286
Wednesday, 11 November 2009 15:41

Why Microsoft was wrong to silence Bing cashback whistleblower

If someone spots a potentially costly security hole in your product would you say thanks and fix it, or send in the lawyers? Microsoft opted for the latter, and it was absolutely wrong on this occasion to do so.

Anyone remember the media fanfare that accompanied the launch of the Microsoft Bing search engine last year? Much of it concentrated on the silly Google Killer angle, but a fair chunk was about the user bribery angle.

Essentially, in order to get people to at least come and try the new search engine Microsoft introduced a cashback system which allowed searchers to earn money for every product they purchased when shopping online through Bing.

Unfortunately, and unbeknown to Microsoft, it would appear that there was something of a security hole in the cashback system which potentially left the company open to fraud on a major scale. Nobody likes lawyers, but is it really suprising that Microsoft resorted to using them so quickly in this case? I think so, and am happy to explain why if you will bear with me.

Bing users could, courtesy of a flaw in the software API, create fake transactions to Bing which would go totally undetected by Microsoft. It is not known at this time if anyone has been actively exploiting the vulnerability.

However, one user certainly spotted it and not only worked out how the cashback system could be exploited but went ahead and exploited it, publishing an account on his blog. Samir Meghani said that while he had never actually bought anything using Bing Cashback "the balance of my account is $2,080.06" and called it an "obvious flaw".

What Meghani did not do was show the method of the exploit, indeed he said in a now withdrawn posting "I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated". Which does not sound like a hacking guide to me.

So why did Meghani withdraw his post and what did the Microsoft legal team actually say? More on page 2...


So why did he withdraw that post? The letter he received from a law firm representing Microsoft is the answer. You can read the letter in full here but it basically states that Meghani was operating web pages which "are violating Microsoft's rights".

It also claims that Meghani was "providing information directing users how to misuse the Microsoft Bing Cashback program through unuathorized technical means" which does not seem to tie in with the "not going to explain" statement in the posting at the heart of all this.

Meghani says that the "purpose of my post was to show an implementation problem, not to encourage defrauding Microsoft" and that the information he did post was "obvious to anyone reading their documentation".

He also admits that he doesn't like dealing with lawyers and so opted to comply with the takedown request. "I will still write a “non-technical” post on all the problems I see with Bing Cashback in the next few days" a niggled Meghani writes.

So what exactly is going on here? Usually the big legal guns are reserved for the real bad guys, and both Microsoft and its lawyers must have know Meghani would go public with this letter and so fan the flames of a bad media fire storm.

I suspect that a couple of things come into play here: firstly, Meghani made the mistake of admitting to the misuse of the Cashback scheme in order to illegally place a couple of thousand dollars in his account.

Microsoft argues, with some hefty legal justification, that this amounts to a violation of the US Federal Computer Fraud & Abuse Act as well as (undisclosed) common law principles under state law.

It seems to me that Microsoft allowed for the fact that the alleged fraud was committed as part of a vulnerability exposure as that lawyers letter states the company "would genuinely like to resolve this matter without the need for any enforcement action".

So, has Microsoft been guilty of simply trying to cover its own back, or is there more to it than that? More on page 3...


Sure, there is always going to be a large dose of 'covering my own back' involved in such legal medicine when a potentially costly, in terms of both money and media coverage, vulnerability is publicly exposed like this.

And sure, Meghani should have approached Microsoft with details of the vulnerability and given it a chance to fix the hole before going public. That is pretty much de rigueur amongst professional security researchers these days.

But Meghani is not a professional security researcher. In fact he is the co-founder or a price search comparison site called Bountii, and the blog which disclosed the Bing Cashback vulnerability was published on the Bountii site.

Could it be that Microsoft was more than usually miffed by the disclosure because it was being disclosed by a competitor, albeit a relative small fry in the scheme of things?

That's how it appears to play out to me, and wearing both my IT Security Consultant and Journalist hats my advice would have been to work with Meghani to correct the flaw and come out of this with some kudos.

If Meghani had published a step-by-step guide to defrauding Microsoft using the Bing Cashback program then he would deserve all he gets, but he did not and has been treated roughly in my view.

Microsoft once again looks like a bully. It has used an itchy trigger finger to fire the big legal guns at some small fish in a big pond, and the ripples are going to last for quite some time I would imagine.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more




Recent Comments