Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Tries To Censor Bing Vulnerability

kdawson posted more than 4 years ago | from the don't-shout-and-wave-it-about dept.

Censorship 275

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."

cancel ×

275 comments

Sorry! There are no comments related to the filter you selected.

And now thanks to /. and microsoft (5, Insightful)

Shadow of Eternity (795165) | more than 4 years ago | (#30043076)

it will probably be all over the rest of the internet and general common knowledge within the week.

Re:And now thanks to /. and microsoft (5, Funny)

u38cg (607297) | more than 4 years ago | (#30043094)

That seems pretty unlikely to me.

~Barbara

Re:And now thanks to /. and microsoft (2, Informative)

Anonymous Coward | more than 4 years ago | (#30043170)

Just wait for it.
-Barbra

Re:And now thanks to /. and microsoft (2, Interesting)

Choozy (1260872) | more than 4 years ago | (#30043120)

it will probably be all over the rest of the internet and general common knowledge within the week.

The way you phrased this, it would seem to indicate that you are against slashdot for releasing this information. I fail to see how releasing this type of information is a bad thing. You would be better off believing in fairies than thinking only 1 person will find a way to exploit a bug. The more people who know about this issue the better as it will be more likely that microsoft will actually fix the bug instead of suppressing the author.

Re:And now thanks to /. and microsoft (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30043226)

The phrasing seemed pretty neutral to me. How would you have phrased it so that it doesn't seem to indicate that it is a bad thing?

Re:And now thanks to /. and microsoft (4, Insightful)

Shadow of Eternity (795165) | more than 4 years ago | (#30043268)

GP just wants someone to hate on, you don't get much more neutral in phrasing than that without making a two word post saying only "Streisand effect."

Re:And now thanks to /. and microsoft (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30043680)

Niggerdick - the best thing to sit down on since sliced bread.

I'm not interested in fixing the bug... (1)

da5idnetlimit.com (410908) | more than 4 years ago | (#30043456)

Just interested in keeping the extra income 8)

Re:And now thanks to /. and microsoft (0)

Anonymous Coward | more than 4 years ago | (#30043726)

MS no longer suppresses authors. Instead, balmer invites them to his office and then into his chair. Issue solved in MS's eye.

Re:And now thanks to /. and microsoft (1, Funny)

Anonymous Coward | more than 4 years ago | (#30043288)

Except, by the time it turns up on slashdot, it already is all over the rest of the internet.

Even if bing removes it from their cahce.

Re:And now thanks to /. and microsoft (3, Interesting)

BrokenHalo (565198) | more than 4 years ago | (#30043326)

The thing that strikes me as odd is why anybody would bother taking the time to meddle with Bing. Does anybody actually use it? Really?

I know Google has its detractors, but surely no more than Microsoft. We can't all be Steve Ballmer...

Re:And now thanks to /. and microsoft (5, Informative)

Anonymous Coward | more than 4 years ago | (#30043428)

like this you mean?

Breaking Bing Cashback
Posted November 4th, 2009 by Samir

I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index [live.com] ?
jftid=0&jfoid=&jfmid=
&m[0]=&p[0]=&q[0]=

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

Re:And now thanks to /. and microsoft (5, Insightful)

mcvos (645701) | more than 4 years ago | (#30043756)

Financial transactions based on a tracking pixel? Really? I just don't know where to start to point out how wrong that is.

PayPal has dozens of different ways to pay, and most of them suck, but at least they don't encourage people to rely on tracking pixels. Either you explicitly send the customer to the payment gateway (including login or entering credit card info there) to authorize the transaction, or you have your own server talk directly to the payment gateway. Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

Re:And now thanks to /. and microsoft (5, Insightful)

buchner.johannes (1139593) | more than 4 years ago | (#30043946)

In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease & desist letter, rather than by fixing the underlying security problem.

Maybe they are doing both?

The cease and desist letter seems partially reasonable:

Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means. Further, on this website you admit that you have personally misused the Cashback program in this regard.

It's pretty stupid to admit you violate a law on a blog that has your name on it. He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.

Re:And now thanks to /. and microsoft (4, Insightful)

theurge14 (820596) | more than 4 years ago | (#30043440)

Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

Re:And now thanks to /. and microsoft (1)

TubeSteak (669689) | more than 4 years ago | (#30043778)

Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

For all we know, the OP is a proponent of that 'responsible disclosure' nonsense.

Re:And now thanks to /. and microsoft (0)

indiechild (541156) | more than 4 years ago | (#30044118)

So you wouldn't mind posting your real full name, social security number (assuming you're American) and residential address?

How does he know MS isn't doing anything else? (5, Insightful)

blankinthefill (665181) | more than 4 years ago | (#30043108)

I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system? A C&D letter doesn't mean that other actions haven't been taken. Just a thought.

Re:How does he know MS isn't doing anything else? (0, Redundant)

stikves (127823) | more than 4 years ago | (#30043146)

The parent is a really insightful comment on Slashdot!

Given advertisement being the main cash income for online service, how could MS be doing nothing at all?

Re:How does he know MS isn't doing anything else? (3, Funny)

Anonymous Coward | more than 4 years ago | (#30043264)

Uh? Cash back is negative income for Microsoft, and as a lawyer who sends C&Ds for a living, I am offended by the fact that you call that "doing nothing".

Re:How does he know MS isn't doing anything else? (3, Funny)

mdenham (747985) | more than 4 years ago | (#30043304)

You're right, sending C&Ds isn't doing nothing.

It's actively producing negative work, turning productively spent time into wasted time.

So congratulations, you're doing less than nothing!

Re:How does he know MS isn't doing anything else? (0, Troll)

BrokenHalo (565198) | more than 4 years ago | (#30043370)

and as a lawyer who sends C&Ds for a living...

Wow, that's sad. That's almost like admitting to being a parking inspector...

Re:How does he know MS isn't doing anything else? (0)

Anonymous Coward | more than 4 years ago | (#30043540)

Not at all. Any rational and considerate person can respect a parking inspector.

Re:How does he know MS isn't doing anything else? (1)

SimonTheSoundMan (1012395) | more than 4 years ago | (#30043910)

You obviously haven't seen parking inspectors or clampers in the UK at work.

Re:How does he know MS isn't doing anything else? (3, Insightful)

mcvos (645701) | more than 4 years ago | (#30043768)

and as a lawyer who sends C&Ds for a living...

Wow, that's sad. That's almost like admitting to being a parking inspector...

Parking inspectors do important work. They keep parking spaces available for those who really need them. I feel sorry for the abuse they sometimes get.

Re:How does he know MS isn't doing anything else? (4, Insightful)

Chrisq (894406) | more than 4 years ago | (#30043302)

If they had any sense they would have anticipated the Streisand affect. It would have been much more effective to tell him the situation, ask him to remove the post and offer him whatever they paid their lawyers to issue the injunction as a "good will" gesture. That way if he did release it then he'd look like an @sshole rather than a victim.

Re:How does he know MS isn't doing anything else? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30043150)

Well - first at all they could simply say they will be working on it hm?

And secondly - to assume they are not working on it is just as viable as assuming they are working on it. Without any feedback anything can be assumed. This is why a C&D letter is so harmfull...

Re:How does he know MS isn't doing anything else? (0)

blankinthefill (665181) | more than 4 years ago | (#30043184)

Well - first at all they could simply say they will be working on it hm?

And secondly - to assume they are not working on it is just as viable as assuming they are working on it. Without any feedback anything can be assumed. This is why a C&D letter is so harmfull...

That makes no sense whatsoever. A C&D letter is harmful because there's no other feedback? What the hell does that even mean? And how do you come up with the first part of your point 2? As pointed out above, the income from the site DEPENDS on this, so it makes zero sense for them to be doing NOTHING beyond sending a C&D, and vice versa. Your contention that assuming either makes just as much sense is utter BS.

As to your first point, most business are very secrative about potentially damaging things. I don't understand why it's surprising when MS acts just like every other large corporation in protecting itself.

Re:How does he know MS isn't doing anything else? (4, Insightful)

MadnessASAP (1052274) | more than 4 years ago | (#30043282)

Ever heard of the Streisand effect? If you're trying to suppress information about something a C&D is the last thing you want to do. Furthermore many companies when put in an identical situation will respond with "Thank you we are aware of the problem and are currently working on it" rather then a C&D.

Also you sound like a schizophrenic jackass.

Re:How does he know MS isn't doing anything else? (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30043398)

C&Ds do work in two cases:

The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

Don't underestimate the power of lawyers. They have the guys with guns on their side.

[1]: I have DDL, or direct download in quotes because I have yet to personally see a usable direct download other than a Trojan or a drive by browser exploit in all my years of cleaning malware off of people's PCs who do believe in such fantasies.

[2]: Yes, I know Abloy locks are unbumpable because of their design, but it is a good example. I don't know anything that defeats their latest PROTEC line of locks other than 12-14 hours of painstaking picking by dedicated speedpickers, or a good long session drilling the sucker out.

Re:How does he know MS isn't doing anything else? (2, Insightful)

vadim_t (324782) | more than 4 years ago | (#30044176)

The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

That's until it reappears on some site hosted in China or random servers that were broken into.

The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

So great job, you managed to keep the information from the sysadmins and other upstanding people, but it's still available in the dark corners of the net, where people with questionable motivations can still get at it.

Now for the company it's all good, but from the global point of view, things are worse than before.

Don't underestimate the power of lawyers. They have the guys with guns on their side.

Yep, that worked really well with the AACS key.

Re:How does he know MS isn't doing anything else? (5, Interesting)

neothoron (1402383) | more than 4 years ago | (#30043320)

Problem is, sending a C&D letter is doubly ineffective:

  • it barely has any effect in keeping potential exploiters from getting access to the vulnerability;
  • someone who cared enough about MS so that they could better themselves is treated like a nuisance (at best).

In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:

  • Ask Samir to remove most of the "sensible" post information - you know, instead of threaten with litigation from the get-go.
  • Take an official stance on that problem; what's the risk, who's affected, what should be done - instead of leaving bing cashback clients vulnerable to misinformation and abuse.

Re:How does he know MS isn't doing anything else? (3, Insightful)

value_added (719364) | more than 4 years ago | (#30043386)

As to your first point, most business are very secrative about potentially damaging things. I don't understand why it's surprising when MS acts just like every other large corporation in protecting itself.

It's a truism, if not a cliche, to point out business are secretive about potentially damaging things.

The difference here is that the scope of damage extends outside narrow corporate concerns. In such situations, it's both fair and reasonable for customers to expect a certain level of transparency. In many industries, disclosures that negatively affect third parties are mandated by law (cue the car analogies).

Microsoft has chosen, in historically typical fashion, the complete opposite of transparency. The criticisms are well deserved.

Re:How does he know MS isn't doing anything else? (3, Interesting)

lkcl (517947) | more than 4 years ago | (#30043724)

it's the lack of thought for consequences of censorship that has me confused. in this day and age, with the overwhelming occurrences of embarrassment that occurs repeatedly over censorship attempts and cover-up attempts, surely businesses would work out by now that a "thank you! we'll fix this IMMEDIATELY! and we'll even pay you some money, and, for anyone else who is listening, we'll pay a BOUNTY to anyone else who privately reports security problems in the future!" approach would make them appear to be a much more enlightened and responsible company. ... or am i just expecting too much?

.

No (5, Insightful)

oGMo (379) | more than 4 years ago | (#30043272)

If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.

Re:How does he know MS isn't doing anything else? (2, Insightful)

DNS-and-BIND (461968) | more than 4 years ago | (#30043730)

Incompetence is more than an adequate explanation. I, for one, am no longer shocked when huge companies admit to shamefully incompetent wrongdoing. And Microsoft has a history of such blind stupidity, so no surprises there either.

Re:How does he know MS isn't doing anything else? (2, Insightful)

mcvos (645701) | more than 4 years ago | (#30043790)

Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system?

How the hell does a C&D prevent assholes from breaking your system? Only fixing your system can do that. They should have sent him a letter expressing their gratitude for pointing out this security hole.

But more than that, they shouldn't have enabled and encouraged merchants to rely on a horribly insecure payment method.

Mirror (4, Informative)

Rufus211 (221883) | more than 4 years ago | (#30043110)

Ive never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Lets see how these transactions might have accidentally got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here [microsoft.com] . The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. Im not going to explain exactly how to generate the fake requests so that they actually post, but its not complicated. Bing doesnt seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have cleared, and Im guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I havent done enough work to say it with confidence, but a malicious user might be able to block another users legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order IDs (e.g. sequential), a malicious user can use up all the future order IDs, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what Ive found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, Ill demonstrate some other subtle but important reasons to avoid using Bing Cashback.

It seems like people have still not learned to never trust anything from the user. This reminds me of some trivially exploitable web merchants years ago. The would store the entire shopping basket, including prices, in the user's cookies. User simply modifies their cookies so that everything costs $1 or $0.01 and they could order a dozen cpus / t-shirts / whatever for a few bucks.

Re:Mirror (5, Insightful)

Rufus211 (221883) | more than 4 years ago | (#30043136)

Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

Why is this troll? (1)

XanC (644172) | more than 4 years ago | (#30043208)

Seems pretty spot-on to me.

Re:Why is this troll? (0)

Anonymous Coward | more than 4 years ago | (#30043402)

$0.06 doesn't generate headlines.

Re:Mirror (4, Insightful)

slimjim8094 (941042) | more than 4 years ago | (#30043230)

Parent is not a troll. This guy is seriously in for it - the FBI et.al frowns upon people who cheat companies out of literally thousands of dollars. The six cents would've been overlooked, and prove the point nicely.

$2k will certainly not be overlooked. Even if he never collects it... he's still fucked.

How is this a cheat? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30043646)

This is no more a cheat than taking someone's money for a shell game and showing them afterwards how they were scammed.

If he's said "by the way, I managed to get 20 grand off you by this" then he's not defrauded them. If he'd kept quiet THEN he'd have defrauded them.

Re:Mirror (0, Troll)

WindBourne (631190) | more than 4 years ago | (#30043744)

And yet, the FBI pretty much looks the other way when companies routinely cheat ppl out of hundreds or thousands of dollars.

Re:Mirror (2, Insightful)

Shrike82 (1471633) | more than 4 years ago | (#30044140)

I do love the way vague ramblings about evil corporations and the FBI (CIA or NSA would also have been acceptable) automatically gets moderated Insightful. Way to use those mod points my friend...

Re:Mirror (0)

Anonymous Coward | more than 4 years ago | (#30044158)

And yet, the OP was correct. When a business screws over a customer, it is FTC that gets called in, not FBI. Even then, it takes blatant illegal actions to cause the wheels to turn.

Re:Mirror (1)

DNS-and-BIND (461968) | more than 4 years ago | (#30043896)

Wrong! The feds won't get involved for anything less than $50,000. My company called them once and got turned down flat. They had to wildly exaggerate the amount of losses to get them to investigate.

Re:Mirror (0)

1s44c (552956) | more than 4 years ago | (#30043198)

It seems like people have still not learned to never trust anything from the user.

It's not people, it's Microsoft. Everyone else at least knows they should validate all user input.

Microsoft should hire Theo de Raadt as a security consultant. He will no doubt walk out within a week but the Microsoft staffers who get the honor of being yelled at will get a security education like no other.

Re:Mirror (0, Offtopic)

timmarhy (659436) | more than 4 years ago | (#30044010)

actually, Raadt could learn a lot from them. MS hire very smart people and make some great products. they however fuck up like everyone else as well.

Re:Mirror (5, Funny)

TheWizardTim (599546) | more than 4 years ago | (#30043242)

Another fun trick was to take a $1 and a $20 and cut them both in half. Then tape half of the $1 and the $20 to make two $21 dollar bills. Silly I know, but if you put them in a change machine, it would look for the numbers in the corners, it would read a 20 then a 1 and then give you $21 in change. You then took the other part and got $21 in change as well. Quick way to double your money. Now the machines check to make sure that all four numbers on the corners match up.

Re:Mirror (1, Funny)

Anonymous Coward | more than 4 years ago | (#30043366)

I'd just keep the two $21 dollar bills myself. Quick way to double your money!

Re:Mirror (1)

BrokenHalo (565198) | more than 4 years ago | (#30043394)

That's an interesting approach. It exposes the idiocy of having all your currency bills with the same design except for the denomination. I think just about every other currency I've used has bills of different size as well as design for each denomination, so I doubt if your idea would work.

Re:Mirror (4, Insightful)

jrumney (197329) | more than 4 years ago | (#30043424)

it would read a 20 then a 1 and then give you $21 in change.

Sounds like an urban myth to me. Would it add 20 and 20 from the corners of a normal $20 bill and give you $40 change?

Re:Mirror (2, Insightful)

QuoteMstr (55051) | more than 4 years ago | (#30043432)

Maybe one rooted in truth, however. I can imagine a bill-reader using some simple image recognition against just one corner of the bill. You could get two $20 bills that way.

Re:Mirror (0)

Anonymous Coward | more than 4 years ago | (#30043578)

Idea being it has fixed 'is this number X?' tests, that set internal bit-flags.

As the bill goes in, two parallel scans: Left and right edge: "Is this a 1?" "Is this a 2?" "Is this a 5?" "Is this a 10?" "Is this a 20?" bit-flags, and a counter for number of valid symbols detected, everything fits in a single byte of memory.

#define FOUND_1 0x08
#define FOUND_2 0x10
#define FOUND_5 0x20
#define FOUND_10 0x40
#define FOUND_20 0x80
#define FOUND_COUNT_MASK 0x07

Then just sanity-check the count, and then run down the 'found' bits to activate the coin-feed. Seems reasonable, until you realize input can set more than one FOUND_?? value.

Re:Mirror (1)

Tapewolf (1639955) | more than 4 years ago | (#30043612)

You're assuming he stuck them together like this: [_ _] If it only read the number on the incoming edge, you might be able to attach them like this: [_ [_ Even if it didn't add them together and ignored the $1, you would still get $40 at a cost of $21.

Re:Mirror (0)

Anonymous Coward | more than 4 years ago | (#30043598)

Another fun trick was to take a $1 and a $20 and cut them both in half. Then tape half of the $1 and the $20 to make two $21 dollar bills. Silly I know, but if you put them in a change machine, it would look for the numbers in the corners, it would read a 20 then a 1 and then give you $21 in change. You then took the other part and got $21 in change as well. Quick way to double your money. Now the machines check to make sure that all four numbers on the corners match up.

So if I put a $20 bill in there it would read a 20 and then a 20 and give me $40 in change?

Mirror (0, Redundant)

QuoteMstr (55051) | more than 4 years ago | (#30043114)

I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here [microsoft.com] . The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

Quote (2, Insightful)

QuoteMstr (55051) | more than 4 years ago | (#30043132)

Regarding the tracking pixel approach: H.L. Mencken once wrote, "there is always a well-known solution to every human problem -- neat, plausible, and wrong." I cannot think of a situation to which this sentiment better applies.

Most entertaining... (5, Informative)

netpixie (155816) | more than 4 years ago | (#30043130)

is the line from the letter

"cease and desist the posting in any location of the material and information contained in this post"

Seeing as it is their SDK that contains the details of this "feature", are they going to send themselves a C&D and then pull the SDK?

Use microsoft == get screwed (3, Insightful)

1s44c (552956) | more than 4 years ago | (#30043180)

After about 30 years is this still news?

Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.

Re:Use microsoft == get screwed (0, Offtopic)

QuoteMstr (55051) | more than 4 years ago | (#30043238)

Use proprietary software and you get screwed.

Fixed that for you.

Re:Use microsoft == get screwed (1)

jim_v2000 (818799) | more than 4 years ago | (#30043262)

Because online services that use open software allow anyone to come in and fix bugs?

FOSS == Fix yourself (0)

Anonymous Coward | more than 4 years ago | (#30043378)

FOSS == Fix yourself.

Try that without any source code.

Or with "Open Source" MSLPL code.

Re:Use microsoft == get screwed (1)

slimjim8094 (941042) | more than 4 years ago | (#30043244)

In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.

Entirely Microsoft's problem - except it'll become the guy's problem when he gets prosecuted for fraud. Faking a $100k transaction is not a smart move. The $1 transaction is a perfectly fine proof-of-concept.

Re:Use microsoft == get screwed (1)

1s44c (552956) | more than 4 years ago | (#30043300)

In this case, it's Microsoft getting screwed by Microsoft. They are on the verge of paying, or have already paid, $2000 out-of-pocket to a guy who did a simple GET.

They can't even validate user input where failing to do so directly costs them cash. They are not hiding behind some get out of everything license agreement and they still can't do the basics.

Re:Use microsoft == get screwed (0)

Anonymous Coward | more than 4 years ago | (#30043644)

Hah! You thought Microsoft was primarily abusive! It is abusive, but mainly it is stupid. Especially since all the programmers who were any good left a long time ago, apparently.

Re:Use microsoft == get screwed (1, Informative)

QuoteMstr (55051) | more than 4 years ago | (#30043710)

Say what you will about Microsoft's business practices, but incredibly smart people [microsoft.com] work there. The idea expressed by your comment and the ten million others just like it is a cop out: it's a lot easier to call Micro$oft stupid than to take a hard look at our society and thinking about why large software companies (and large companies in general) have strong economic incentives to produce shit, about why they're not accountable to society at large, and why they can accumulate so much power.

Microsoft is hardly stupid: on the contrary, its managers are quite savvy, and are the reason Microsoft is where it is today. Other large software companies would do exactly the same things in the same position.

The real reasons we're angry are political. Our antitrust enforcement is lax. Our politicians are corrupt. We don't hold our government responsible for passing laws that favor the very few over the very many, like the DMCA. Our income taxes aren't progressive enough. We're not willing to enforce open standards. We let anything under the sun be patented. We need to address the root causes of these problems.

But thinking about all that is hard. It's easier to just say Microsoft sucks, isn't it?

Re:Use microsoft == get screwed (0)

1s44c (552956) | more than 4 years ago | (#30043952)

But thinking about all that is hard. It's easier to just say Microsoft sucks, isn't it?

Microsoft does suck. They suck at IT. The fact they make a lot of money isn't proof they don't suck at IT.

No doubt they have salespeople that could sell sand to Arabs and snow to Eskimos, and a legal department that could get them off of blowing up UN headquarters with only a small fine. None of that is proof that their software is anything but a pretty GUI with dodgy fluff behind it sold to people who don't have enough knowledge to make an informed choice.

The problems are partly political and partly due to a lack of education and experience in people that really should know better. I guess you could count the last point as political too.

Re:Use microsoft == get screwed (0)

Anonymous Coward | more than 4 years ago | (#30044070)

The fact they make a lot of money isn't proof they don't suck at IT.

Right. And who exactly gives a shit about your opinion? Your mom?

Its cute watching F/OSS cheerleaders get all twisted up about Microsoft. They continue to prop up a failure of an operating system. What is it again.. 15-16 years in development and 1% market share? Wait, let me delete my Ubuntu VM. Now its 0.9583% market share! I think Linux is the ultimate definition of failure. And this is after the billions poured in by IBM/SUN/Cannonical into hiring programmers to build this crappy OS. (Obviously nobody was going to do it for free. They had to pay people to write code.)

YEAR OF T3H LINUX !!11. Give it up, the party is over. Microsoft won.

Lets recap.

Microsoft = Alpha Male = Winner. They don't give a shit about what you think. They continue making money and dominating the industry doing what they want however they want.

F/OSS Cheerleaders = Losers/Whiners/Apologists Always whining and making excuses. What is the latest one? Including routers as Linux "computers" to boost the market share? HAHAHAHA !

Re:Use microsoft == get screwed (0)

Anonymous Coward | more than 4 years ago | (#30044008)

You know... I gave some nice upmods, and I'll sacrifice them so hopefully a +0 reader sees it... but this is the type of post that begs for a ±1, WTF? Really?! My kingdom for a incoherent option.

What a bunch of crap. (0)

Anonymous Coward | more than 4 years ago | (#30044062)

Our income taxes aren't progressive enough.

Basically, what you are arguing is to replace a software company that YOU don't like with a totalitarian state.

I would think it would be just easier to use a different operating system.

Re:Use microsoft == get screwed (3, Informative)

Alex Belits (437) | more than 4 years ago | (#30044204)

Microsoft Research is not "people working for Microsoft", it's "people are paid by Microsoft not to work for Microsoft's competitors". Not a single meaningful Microsoft product or feature came from there.

Re:Use microsoft == get screwed (1)

gzipped_tar (1151931) | more than 4 years ago | (#30043494)

In this case, it's Microsoft getting screwed by Microsoft.

Reminds me of a piece of quotation often attributed to Freud: "The only thing about masturbation to be ashamed of is doing it badly."

Shame, Microsoft, SHAME!!!

Re:Use microsoft == get screwed (1)

kestasjk (933987) | more than 4 years ago | (#30043276)

A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.

Re:Use microsoft == get screwed (1)

1s44c (552956) | more than 4 years ago | (#30043290)

A marketing company which subcontracts out its marketing and makes billions from software sales. That's a pretty weird marketing company.

Agreed they are pretty weird. They don't sell software though, they sell the dream of software that 'just works' to people that for the most part don't believe there is an alternative to bug ridden and low quality code.

Re:Use microsoft == get screwed (1)

ProfessionalCookie (673314) | more than 4 years ago | (#30043338)

Be fair, they botch the user interface as well.

Re:Use microsoft == get screwed (0)

Anonymous Coward | more than 4 years ago | (#30043450)

Getting screwed is a feature not a bug!

Captcha: unbroken

Source of URL (3, Informative)

pgn674 (995941) | more than 4 years ago | (#30043220)

If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?), it looks like page 33 of the linked Integration Guide PDF [microsoft.com] gives the URL https://ssl.bing.com/cashback/javascripts/1x1tracking.js [bing.com] . That JavaScript file has info on constructing that URL.

Solution (2, Interesting)

QuoteMstr (55051) | more than 4 years ago | (#30043284)

All Microsoft needed to do was include a Message Authentication Code [wikipedia.org] (such as, say, HMAC-SHA1) in the tracking image URL. Microsoft and the merchant obviously already have a shared secret they can use for the purpose. Using a MAC would have been practically free.

Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age. Whoever wrote the Bing API specification really should have known better.

Re:Solution (2, Interesting)

mdenham (747985) | more than 4 years ago | (#30043312)

Whoever wrote the Bing API was probably planning on exploiting it in exactly this fashion.

Re:Solution (2, Interesting)

QuoteMstr (55051) | more than 4 years ago | (#30043336)

A cleverer backdoor would have been a weak custom MAC (say, just the H(M) + secret). Then it'd still be exploitable, yet not obviously bad.

This article [root.org] goes into the reasons why HMACs are constructed the way they are, and about how naive constructions can be exploited.

Re:Solution (0)

Anonymous Coward | more than 4 years ago | (#30043592)

I'd consider HMAC-SHA256 or SHMAC-SHA512 these days. SHA1 is a lot more sturdy than MD5, but it is nearing the end of its useful lifespan. This is why NIST is running a competition looking for the next SHA-3 algorithm, similar to how AES was chosen, results likely expected in 2012 (from the wiki).

Re:Solution (1)

QuoteMstr (55051) | more than 4 years ago | (#30043640)

You're absolutely right. SHA-1 is sturdy enough, and would still have been a responsible choice[1]. Nevertheless, moving to one of the SHA-2 algorithms (like SHA-256 or SHA-512) moves the mental confidence gauge from "damn sure" to "would bet my career on it".

One point worth mentioning is that if you're worried about the output size of one of the SHA-2 hash functions (64 bytes is a little heavy), you can just truncate the output. SHA-512 truncated to the size of SHA-1 (160 bits) shouldn't be any less secure than SHA-1 itself.

[1] Unlike MD5, which is as secure as a treehouse in a tornado. It still absolutely boggles the mind that people use raw, unsalted MD5 to store passwords, and use raw MD5s file authentication.

Re:Solution (1)

bjourne (1034822) | more than 4 years ago | (#30043692)

Can you elaborate on that? The tracking pixels are used to report transactions to Bing's api by having the customers web browser doing a GET request to Bing's cashback server. Since it is all done on the client side, a malicious user could just include the MAC for the merchant in the forged transaction. So I don't see how using a MAC would help at all.

Re:Solution (2, Informative)

QuoteMstr (55051) | more than 4 years ago | (#30043746)

Can you elaborate on that?

Sure. A MAC actually can mean two things, depending on context: an algorithm or a value. I'm going to use "MAC" to mean the algorithm, and "authenticator" to refer to the output of the algorithm. YMMV.

The MAC takes as input the message to be authenticated, M, and a key S. Let's say that M is information about the item to be purchased, and S is a password the merchant set up with Microsoft. Running the MAC on M and S produces A. The sender of the message sends both A and M to the recipient. In more concrete terms, the tracking pixel's URL includes both information about the purchased item (like it does now) and the output of the MAC algorithm.

The recipient runs the MAC algorithm on the M' he receives (using the agreed-upon S), and compares its output, A' to the A it received along with the message. If A = A', M is authentic. If not, M is a forgery.

A malicious user could alter the tracking pixel URL, sure, but because she doesn't know S, she can't generate an authenticator A that the server will accept. She can choose to either send A and M unaltered, or not send anything at all.

One of the more popular MACs is called an HMAC, which stands for Hash MAC. Unsurprisingly, it's a MAC build out of a hash function. The Wikipedia article [wikipedia.org] provides details about how an HMAC is actually constructed. It's important to use that construction, because simpler approaches to building MACs out of hash functions (like just concatenating S and M) are vulnerable to various attacks.

Re:Solution (2, Informative)

Rufus211 (221883) | more than 4 years ago | (#30043922)

It's pretty clear that whoever designed this API didn't even take an passing glance at the security or reliability implications. There are 2 ways (from the linked slides) for a merchant to report cashback activity to MS:

1) Tracking pixel: this gives instant update to the user, but is completely insecure and also fairly unreliable (image fails to load, cross site https issues, random network hickup, etc).

2) FTP upload of a plain text list: yes really, plain old FTP. This is at least reliable but is only authenticated by a plain-text user/pass. The list does not have any signature for authentication.

I'm not a web guy at all (I'm an ASIC hardware guy) and off the top of my head I can think of 2 real solutions:

The right way: SOAP. Gives instant update to the user, should be trivial in any backend web language, is reliable, is trivial to encrypt (https), is trivial to authenticate (a simple shared secret would be enough).

A reasonable way: both of the existing ones. The tracking pixel is used to provide instant user update in 99% of the cases, but the transaction is marked pending. At the end of the day the text list is uploaded to the FTP. Compare the 2 lists, approving all that match and flagging for review any that don't (extra, missing, or different). As an added bonus a cryptographic signature should be added to the list.

The problem with simply adding a MAC to the existing tracking pixel is that it doesn't fix the reliability issue. Also the advantage of the current tracking pixel is that it's stupidly easy to implement. If you're going to load in some libraries to do the MAC calculation on the server, you might as well load in a SOAP library and do the transaction properly.

It really boggles the mind that a bogus transaction could actually be paid out. That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out. Even something as stupid as end-of-month totals should flag that there are bogus transactions.

Re:Solution (1)

QuoteMstr (55051) | more than 4 years ago | (#30043988)

The right way: SOAP

Yep. You don't need SOAP per se, though. The important thing is having the merchant talk directly to Microsoft. Some people are oddly resistant to that notion though, and if you're going to use the tracking pixel approach, you need a MAC.

That indicates there is absolutely no auditing or rationalization between what the e-tailer thinks should be paid out and what MS thinks should be paid out. Even something as stupid as end-of-month totals should flag that there are bogus transactions.

Agreed. The sad thing is that from a certain point of view, it can make more sense to limit the damage through audits than to try to make the system secure in the first place. Just look at the state of the credit card system.

But then they put the key in plaintext in JS (1)

originalhack (142366) | more than 4 years ago | (#30043924)

Seriously.... they couldn't possibly assume that their affiliates can program, so the key would have to be in the users' web browser instead of on the affiliates' server.

Re:But then they put the key in plaintext in JS (1)

QuoteMstr (55051) | more than 4 years ago | (#30043960)

Merchants must at least have some ability to program, otherwise they wouldn't be able to create sites at all. Creating a MAC authenticator isn't hard: all you need to do is call a hash function a few times. But as another poster mentioned, the better thing to do is to just have the merchant talk directly to Microsoft and sidestep the whole problem.

mirrored post (2, Informative)

lkcl (517947) | more than 4 years ago | (#30043400)

http://lkcl.net/reports/bing.censorship.attempt [lkcl.net] - additional mirrors will be added as i find them.

Re:mirrored post (1)

Jugalator (259273) | more than 4 years ago | (#30043438)

I simply screenshot it and uploaded it to an image host. *shrug* The cat is already out of the bag now, and MS will have to fix this.

Re:mirrored post (1)

SharpFang (651121) | more than 4 years ago | (#30043736)

fuck you. do not attempt to censor people's efforts to bring to your
attention your own stupidity. go fix the problem, and pay the guy who
found the problem a lot of money, as a thank you.

Microsoft's standard policy of thank-you for people who help them prevent multi-million losses is a free T-shirt.
You can't really hope for any better.

Fix the spelling, FFS (0)

Anonymous Coward | more than 4 years ago | (#30043668)

What exactly is the point of submissions being labelled "typo" on the firehose they're not going to be fixed in the article?

Mirror (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30043672)

For posterity
"

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=&jfmid=
&m[0]=&p[0]=&q[0]=

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

"

Just in case it disappears from the cache, too (0, Redundant)

dotancohen (1015143) | more than 4 years ago | (#30043722)

Just in case it disappears from the cache, too:

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index [live.com] ?
jftid=0&jfoid=&jfmid=
&m[0]=&p[0]=&q[0]=

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

It's called fraud (5, Insightful)

cookd (72933) | more than 4 years ago | (#30043866)

This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.

Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).

In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
2. Noticed that the cash back did show up with no problem as "available for withdrawal".
3. Tried again with a much larger purchase. Again the purchase shows up in his account.
4. Hacker is hoping that the amount will soon become available for withdrawal.

On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.

In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.

I hate this attitude out there that "if it isn't nailed down, I have every right to grab it and take it home, and if it is nailed down, I have every right to destroy it". I don't want a world (or even an Internet) where everything is nailed down and/or destroyed. I like being able to sit down on the occasional park bench. I like seeing the quick web sites put up by some teenagers to show off whatever crazy idea has their attention this week. It would be a pity for the park bench to be vandalized "just because it wasn't properly secured -- to teach those guys a lesson!", because then the park would have to hire security guards (paid for by my taxes) or close down. And simple kiddie web sites about cute kittens shouldn't become defaced just because they were using a version of Drupal that they didn't know how to lock down.

In my sister's neighborhood, people actually know each other and are friendly, but there have been some break-ins the past few weeks. That just plain shouldn't happen -- it causes real harm to people. But when my sister saw that a neighbor had left the garage door open, she called the neighbor and the problem was solved. I'm not sure what the problem was -- perhaps the door was closed immediately, or maybe it was open for a reason (people were in the garage working, or there was nothing in the garage to steal, or the police were baiting the people who had been breaking in). But the problem didn't have to be resolved by stealing stuff out of the garage as a "proof of concept".

Certainly security ought to be part of our thinking as we develop and deploy software. I don't want my mom's computer to get screwed up by the next big virus (though Vista's UAC has been doing its job pretty well so far for her). But honesty and responsability should guide our thinking as we use software. And just as we have to learn that there are non-technical attack vectors (75% success rate for "I'll give you a candy bar if you give me your password"), we shouldn't be so narrow-minded as to think that there are no non-technical mitigations (the inevitable paper trail and the criminal justice system help keep me from trying to scam Bing, just in case my personal code of honor should somehow fail).

Re:It's called fraud (0)

Anonymous Coward | more than 4 years ago | (#30043962)

I wish I had mod points right now. Well said!

Re:It's called fraud (1)

sskinnider (1069312) | more than 4 years ago | (#30044150)

And meanwhile, only the other consumers are hurt over this incompetent programming. The cost of fraud is passed directly to the customer, it does not hurt Microsoft.

Hey Mercedes! (2, Insightful)

tjstork (137384) | more than 4 years ago | (#30044002)

Your car has an exploit, so I stole it and drove it into a wall to prove a point.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>