Microsoft Tries To Censor Bing Vulnerability

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."

Mirror

[QuoteMstr]

I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

Re:How does he know MS isn't doing anything else?

[stikves]

The parent is a really insightful comment on Slashdot!

Given advertisement being the main cash income for online service, how could MS be doing nothing at all?

Just in case it disappears from the cache, too

[dotancohen]

Just in case it disappears from the cache, too:

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=&jfmid=
&m[0]=&p[0]=&q[0]=

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

Re:Mirror

[Skapare]

Actually, it's a legitimate test. They may or may not have sanity checks and other security measures that are based on dollar amount. Testing at a few cents doesn't mean much (unless you do it at a high volume). Merchants won't care if they have been ripped off by a few cents a year (well, they might, but won't want to increase costs by a few dollars to address it). The test is to see if a large amount can work. Apparently it does if it finishes going through. If he gets a check for the amount and CAN cash it, the exploit works and the system is vulnerable. OTOH, if they catch this, even at a later date, and prevent the cash from being released, then maybe it is secure. The only way to PROVE that their system is vulnerable at an important level is to actually test it at that level. He should, of course, immediately surrender the cash back to whoever it came from to prove that his intentions are not to steal but to prove it is easy to steal.

If someone claims no one can get into their warehouse, and you just try the door and find it unlocked, who's fault is that? That's legally "breaking" (even if the door is not locked ... entering would be next). But the claim is fraud if used in connection with telling people no one can get into the warehouse when it is clearly false. But the crime has to be done, at least in part, to prove the fraud. I just don't see opening the door as a moral crime (or even entering and taking things out as long as you don't keep them and just do this to prove the fraud). The fraud, however, is definitely a moral crime. We need to put (a lot) more CEOs in prison in this country (probably at least half of the Fortune 500 ones).

Re:In other news: /. now moderated by 'tards

[BattyMan]

oOps...

I guess _that_ demonstrates the value of the "Preview" button!

Re:How does he know MS isn't doing anything else?

[thePowerOfGrayskull]

and as a lawyer who sends C&Ds for a living... Wow, that's sad. That's almost like admitting to being a parking inspector...

I'm a parking inspector, you insensitive clod!

Re:Use microsoft == get screwed

[Alex+Belits]

Surface was unveiled by Microsoft CEO Steve Ballmer on May 30, 2007 at The Wall Street Journal's 'D: All Things Digital' conference in Carlsbad, California.[10]

Microsoft-sponsored demo.

Surface Computing is part of Microsoft's Productivity and Extended Consumer Experiences Group, which is within the Entertainment & Devices division. The first few companies to deploy Surface will include Harrah's Entertainment, Starwood Hotels & Resorts Worldwide, T-Mobile and a distributor, International Game Technology.[11]

Any actual deployments?

On April 17, 2008 AT&T became the first retail location to launch Surface.[12] In June 2008 Harrah's Entertainment launched Microsoft Surface at Rio iBar[13] and Disneyland launched it in Tomorrowland, Innoventions Dream Home[14]. On August 13, 2008 Sheraton Hotels introduced Surface in their hotel lobbies at 5 locations[15]. On September 8, 2008 MSNBC began using the Surface to work with election maps for the 2008 US Presidential Election on air. MSNBC's political director, Chuck Todd, was placed at the helm.

All sound like Microsoft-sponsored demos and pilot projects.