Slashdot Mirror
Microsoft Tries To Censor Bing Vulnerability
An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."
Problem is, sending a C&D letter is doubly ineffective:
In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:
The thing that strikes me as odd is why anybody would bother taking the time to meddle with Bing. Does anybody actually use it? Really?
I know Google has its detractors, but surely no more than Microsoft. We can't all be Steve Ballmer...
it's the lack of thought for consequences of censorship that has me confused. in this day and age, with the overwhelming occurrences of embarrassment that occurs repeatedly over censorship attempts and cover-up attempts, surely businesses would work out by now that a "thank you! we'll fix this IMMEDIATELY! and we'll even pay you some money, and, for anyone else who is listening, we'll pay a BOUNTY to anyone else who privately reports security problems in the future!" approach would make them appear to be a much more enlightened and responsible company. ... or am i just expecting too much?
.
I wrote parking tickets as a job in college... very easy. My rule was to let people go if they showed up during the ticketing, which resolves every single confrontation in a positive way. If I had to call a tow truck on the car, I had to stand my ground, but only once did I encounter someone who showed up during the process and was a real dick about it.
The parking services was second only to tuition and the football team in amount of revenue generated for the school. If anything, I could write more tickets by letting the few people I encountered during my work go and moving on to the 98% of cars whose owners don't show up rather than wasting 20 minutes arguing with each of them.
Easily the least stressful job I've ever had.
Do what thou wilt shall be the whole of the Law
And people often do precisely that for affiliate programs. Is it any wonder these programs make up one of the shadier areas of the internet?
In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following: 1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account. 2. Noticed that the cash back did show up with no problem as "available for withdrawal". 3. Tried again with a much larger purchase. Again the purchase shows up in his account. 4. Hacker is hoping that the amount will soon become available for withdrawal.
5. Notified Microsoft about the issue?
Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party. Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants. Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this. So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.
I've had to fight parking tickets in court, though, because they were unjustly given... If the parking space says, for example, that street parking is allowed until 4:00pm, and they write a ticket that's dated 4:01, then it's unreasonable... around here, they're supposed to give you 5 minutes' leeway to allow for differences in how your watch is set. (that's actually in the law in this part of the world).
Worse still is the time I was given a $300 parking ticket because the jackass who wrote it was more concerned with meeting his quota than he was looking for the accessible parking permit that was clearly displayed on the dashboard... at least, it was clearly displayed until your view of it was blocked by the parking ticket that the idiot put, quite literally, on top of the accessible parking permit. The ticket wasn't for going over time, it was because my car was parked in a handicapped spot, and he hadn't noticed the permit. That one was resolved by a trip to city hall with both the permit and the ticket, but I shouldn't have had to take an afternoon off work because of a blind parking warden.
I fully agree that parking inspectors do actually do some important work. And I accept that most of them are just trying to do an honest day's work, and trying to actually perform a civic service. But some of the parking wardens are clearly becoming jaded at being the furries of the law-enforcement community, and are taking it out on people by power tripping.