Slashdot Mirror
Microsoft Tries To Censor Bing Vulnerability
An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."
it will probably be all over the rest of the internet and general common knowledge within the week.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system? A C&D letter doesn't mean that other actions haven't been taken. Just a thought.
It seems like people have still not learned to never trust anything from the user. This reminds me of some trivially exploitable web merchants years ago. The would store the entire shopping basket, including prices, in the user's cookies. User simply modifies their cookies so that everything costs $1 or $0.01 and they could order a dozen cpus / t-shirts / whatever for a few bucks.
is the line from the letter
"cease and desist the posting in any location of the material and information contained in this post"
Seeing as it is their SDK that contains the details of this "feature", are they going to send themselves a C&D and then pull the SDK?
Regarding the tracking pixel approach: H.L. Mencken once wrote, "there is always a well-known solution to every human problem -- neat, plausible, and wrong." I cannot think of a situation to which this sentiment better applies.
After about 30 years is this still news?
Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.
Seems pretty spot-on to me.
If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?), it looks like page 33 of the linked Integration Guide PDF gives the URL https://ssl.bing.com/cashback/javascripts/1x1tracking.js. That JavaScript file has info on constructing that URL.
If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
All Microsoft needed to do was include a Message Authentication Code (such as, say, HMAC-SHA1) in the tracking image URL. Microsoft and the merchant obviously already have a shared secret they can use for the purpose. Using a MAC would have been practically free.
Given what Microsoft pays its programmers, I'm just appalled that nobody thought to include basic precautions in a brand-new interface written in this day and age. Whoever wrote the Bing API specification really should have known better.
FOSS == Fix yourself.
Try that without any source code.
Or with "Open Source" MSLPL code.
http://lkcl.net/reports/bing.censorship.attempt - additional mirrors will be added as i find them.
Just interested in keeping the extra income 8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
This is no more a cheat than taking someone's money for a shell game and showing them afterwards how they were scammed.
If he's said "by the way, I managed to get 20 grand off you by this" then he's not defrauded them. If he'd kept quiet THEN he'd have defrauded them.
What exactly is the point of submissions being labelled "typo" on the firehose they're not going to be fixed in the article?
Just in case it disappears from the cache, too:
I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.
First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:
https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=&jfmid=
&m[0]=&p[0]=&q[0]=
This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.
Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.
Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.
It is dangerous to be right when the government is wrong.
This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.
Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).
In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
2. Noticed that the cash back did show up with no problem as "available for withdrawal".
3. Tried again with a much larger purchase. Again the purchase shows up in his account.
4. Hacker is hoping that the amount will soon become available for withdrawal.
On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.
In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.
Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.
I hate this attitude out there th
Time flies like an arrow. Fruit flies like a banana.
Seriously.... they couldn't possibly assume that their affiliates can program, so the key would have to be in the users' web browser instead of on the affiliates' server.
Your car has an exploit, so I stole it and drove it into a wall to prove a point.
This is my sig.
Our income taxes aren't progressive enough.
Basically, what you are arguing is to replace a software company that YOU don't like with a totalitarian state.
I would think it would be just easier to use a different operating system.
Microsoft has posted this page in response:
http://www.bing.com/search?q=bing+cashback+vulnerability&go=&form=QBLH&filt=all&qs=n
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
What bing vulnerability?
Ever heard of the "Streisand Effect"?
You can't cause people to "unlearn" something. An example for ya...
Enjoy your broken system. Or maybe you'd better change it, word is REALLY out now.
It isn't a crime.
He's owning up BEFORE he could possibly find out.
How many times have we heard someone say "that's only a theoretical loophole"?
Well guess what: if they try it with this, they've lost 20 grand.
I guess they won't be picking that defence here.
I'm not saying I could have done better than the engineers at Bing. In fact I'm certain I would have done worse. But I know I or my peers would have spotted the flaw in my design and have started working on a fix. That's because I work with Open Source software and thousands of eyes would have reviewed the code... sometimes with very hostile intent... and the product would not have been a big ego but a solid product. It's not that Open Source is better... it's that it gets peer reviewed without ego.
Microsoft, this is why you will eventually lose. All is not lost, you can can change... you can learn. But honestly... when *will* you?
A story for you. And it's true.
A journalist gave wrong identification to the security for entry to a birthday party for the Royal Family. Big Target.
He then posted how he got in and that the security was ineffective.
The police response?
He wasn't a terrorist, he was a journalist, so therefore the security procedures that were meant to keep out terrorists and other bad people hadn't failed.
I.e. the only way to prove the security sucks is to either
a) kill someone there with a bomb
b) get a terrorist in under the false ID
And in this case, the taking (and then admitting) the taking of 20 grand is proving that there is no option for them to say "this wasn't really a failure".
But I guess you'd rather the bearer of bad news be hung out to dry than problems fixed.
You are a funny boy! To misquote David Pogue, Microsoft will lose when businesses decide that computers are no longer useful.
It's good to have more than one ecosystem out there. There's every chance that the engineers at Microsoft knew about this vulnerability and, in the interests of simplification, decided to allow it for business reasons. Those happen sometimes ;). Credit card companies could engage mechanisms that would make it MUCH more difficult to do fraudulent charges against a card, but they elect not to because they don't want to impose a "drag" on sales of any kind. They're clearly calculated that their losses from "drag" would exceed their losses from fraud.
Don't drop the soap, if you do, don't bend over to pick it up. Don't look people in the eyes, and plead no-contest.
Lots of people are screaming "Wire Fraud" about this but I don't buy it. Microsoft needs to be accountable for their lack of security. They cost the world Billions of dollars (lost productivity plus value of the anti-virus/removal industry) because they're the leaders of a mentality where rushing products out the door is preferable to more reliable measures.
I mean... blame the person who exploited the crappy security all you want... but if Microsoft doesn't stop the $2k deposit from going into his account I don't think laws should give them a leg to stand-on. One poster noted that Microsoft probably has a team to review these large charges and I would agree that they do have resources to manually stop this large payment.
But if they don't stop it... well if MUST be more profitable to make that choice because Microsoft is a very, very smart business and they have historically made very, very ballsy and successful business decisions. So, as long as valuable taxpayer dollars don't get wasted on the case of whether it's morally right to exploit Microsoft for personal gain, I don't think there's much to talk about here. BUT if this becomes a court battle (Unreliable, Cheap Software v. John Doe) I hope the Unreliable, Cheap Software loses.
It really doesn't matter. Seems like the dumber the m$oft coder, the more people migrate to it. You can't fix stupid.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
Developers make tactical & strategic errors, entire companies do the same and sometimes the response is poorly handled when either is caught ... yadda, yadda, yadda. Let's not dwell on a common-place phenomenon inherent to humans. What causes me the most concern is the QA/QC that should catch this sort of thing is failing. That's the larger problem to me. What buffoon, and presumably somebody senior was responsible for oversight of the review process, was responsible for looking at a tracking-pixel based mechanism and letting it pass muster? What other responsibilities does this joker have in Redmond?
The Empire has to _pay_ people to use Bing?
Or do they have to pay the merchants to use it?
Or, is it _both_?
(FWIW: I don't have Windoze(tm)(r)(c), and can't use Bing)
I swear. Moderators can't read a /sarcasm tag anymore?
Posting anonymously, for obvious reasons....
Exceeding the recommended torque is not recommended.
Hey, it's just like Sharepoint. M$-sponsored media blames the 'eebil hakkerz' instead of turning a critical eye to the gross incompetence that engineered (and managed the engineering of) the M$ payment system. M$-sponsored media also blames the 'eebil hakkerz' to avoid turning a second spotlight on the businesses that knowingly rolled out services built from M$ products knowing from all tests and pilots that IT CANNOT WORK.
It is fraud, but the fraud is not committed by the dude that showed the emperor still has not clothes. If it's a blame game, put the blame where it belongs: on the pimply backs of M$ executives. DHS should have the whole executive body and board of directors in Camp X-Ray, if it were fulfilling its charter.
Only gov'ts can censor. This is concealing.
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!