Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Tries To Censor Bing Vulnerability

Posted by kdawson on from the don't-shout-and-wave-it-about dept.

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."

3 of 275 comments (clear)

  1. Re:How does he know MS isn't doing anything else? by neothoron · · Score: 5, Interesting

    Problem is, sending a C&D letter is doubly ineffective:

    • it barely has any effect in keeping potential exploiters from getting access to the vulnerability;
    • someone who cared enough about MS so that they could better themselves is treated like a nuisance (at best).

    In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:

    • Ask Samir to remove most of the "sensible" post information - you know, instead of threaten with litigation from the get-go.
    • Take an official stance on that problem; what's the risk, who's affected, what should be done - instead of leaving bing cashback clients vulnerable to misinformation and abuse.
  2. Re:How does he know MS isn't doing anything else? by mister_playboy · · Score: 4, Interesting

    I wrote parking tickets as a job in college... very easy. My rule was to let people go if they showed up during the ticketing, which resolves every single confrontation in a positive way. If I had to call a tow truck on the car, I had to stand my ground, but only once did I encounter someone who showed up during the process and was a real dick about it.

    The parking services was second only to tuition and the football team in amount of revenue generated for the school. If anything, I could write more tickets by letting the few people I encountered during my work go and moving on to the 98% of cars whose owners don't show up rather than wasting 20 minutes arguing with each of them.

    Easily the least stressful job I've ever had.

    --
    Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
  3. Re:And now thanks to /. and microsoft by QuoteMstr · · Score: 4, Interesting

    Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

    And people often do precisely that for affiliate programs. Is it any wonder these programs make up one of the shadier areas of the internet?