Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Tries To Censor Bing Vulnerability

Posted by kdawson on from the don't-shout-and-wave-it-about dept.

An anonymous reader writes "Microsoft's Bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking Bing cash-back exploit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicious user to create fake Bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from Bing. The original post is currently available in Bing's cache, although perhaps not for long. But no worries, the author makes it clear that the exploit should be painfully obvious to anyone who reads the Bing cash-back SDK."

40 of 275 comments (clear)

  1. And now thanks to /. and microsoft by Shadow+of+Eternity · · Score: 5, Insightful

    it will probably be all over the rest of the internet and general common knowledge within the week.

    --
    A bullet may have your name on it but splash damage is addressed "To whom it may concern."
    1. Re:And now thanks to /. and microsoft by u38cg · · Score: 5, Funny
      That seems pretty unlikely to me.

      ~Barbara

      --
      [FUCK BETA]
    2. Re:And now thanks to /. and microsoft by Anonymous Coward · · Score: 3, Insightful

      The phrasing seemed pretty neutral to me. How would you have phrased it so that it doesn't seem to indicate that it is a bad thing?

    3. Re:And now thanks to /. and microsoft by Shadow+of+Eternity · · Score: 4, Insightful

      GP just wants someone to hate on, you don't get much more neutral in phrasing than that without making a two word post saying only "Streisand effect."

      --
      A bullet may have your name on it but splash damage is addressed "To whom it may concern."
    4. Re:And now thanks to /. and microsoft by BrokenHalo · · Score: 3, Interesting

      The thing that strikes me as odd is why anybody would bother taking the time to meddle with Bing. Does anybody actually use it? Really?

      I know Google has its detractors, but surely no more than Microsoft. We can't all be Steve Ballmer...

    5. Re:And now thanks to /. and microsoft by Anonymous Coward · · Score: 5, Informative

      like this you mean?

      Breaking Bing Cashback
      Posted November 4th, 2009 by Samir

      I've never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let's see how these transactions might have "accidentally" got credited to my account.

      First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

      https://ssl.search.live.com/cashback/pixel/index?
      jftid=0&jfoid=&jfmid=
      &m[0]=&p[0]=&q[0]=

      This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I'm not going to explain exactly how to generate the fake requests so that they actually post, but it's not complicated. Bing doesn't seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have "cleared," and I'm guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

      Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven't done enough work to say it with confidence, but a malicious user might be able to block another user's legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID's (e.g. sequential), a malicious user can "use up" all the future order ID's, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

      Based on what I've found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I'll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

    6. Re:And now thanks to /. and microsoft by theurge14 · · Score: 4, Insightful

      Wow, I didn't realize that there are people that still believe in that 'security through obscurity' nonsense.

    7. Re:And now thanks to /. and microsoft by mcvos · · Score: 5, Insightful

      Financial transactions based on a tracking pixel? Really? I just don't know where to start to point out how wrong that is.

      PayPal has dozens of different ways to pay, and most of them suck, but at least they don't encourage people to rely on tracking pixels. Either you explicitly send the customer to the payment gateway (including login or entering credit card info there) to authorize the transaction, or you have your own server talk directly to the payment gateway. Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

    8. Re:And now thanks to /. and microsoft by buchner.johannes · · Score: 5, Insightful

      In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease & desist letter, rather than by fixing the underlying security problem.

      Maybe they are doing both?

      The cease and desist letter seems partially reasonable:

      Specifically, at this site you are providing information directing users how to misuse the microsoft Bing Cashback program through unauthorized technical means. Further, on this website you admit that you have personally misused the Cashback program in this regard.

      It's pretty stupid to admit you violate a law on a blog that has your name on it. He should have used a anonymous blog for that or inform Microsoft of the issue in the first place.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    9. Re:And now thanks to /. and microsoft by lorenlal · · Score: 3, Informative

      Microsoft is working their Bing campaign hard. I'm seeing ads for it everywhere. I've got a feeling there are at least some folks who will try it out, and maybe even like it. Oh, and if you ever go to Microsoft.com and try searching for anything you're using Bing. There's a reasonable chance that you'll eventually accidentally use Bing.

    10. Re:And now thanks to /. and microsoft by QuoteMstr · · Score: 4, Interesting

      Relying on a hidden browser-side hack for a financial transaction is just amazingly stupid and unnecessary, even if you don't spot any obvious flaws right away (because someone else will).

      And people often do precisely that for affiliate programs. Is it any wonder these programs make up one of the shadier areas of the internet?

    11. Re:And now thanks to /. and microsoft by Homburg · · Score: 5, Insightful

      I'm not sure how this is a sensible response to a poster complaining about security through obscurity: security through obscurity is exactly the problem here. We use information like SSN and address which are not in any way secret, merely obscure, as a way to supposedly verify identity, and that's why we have so much identity theft. The reason no-one wants to post their SSN and address on Slashdot is precisely because security through obscurity sucks.

    12. Re:And now thanks to /. and microsoft by IsThisWorking · · Score: 5, Informative

      Security through obscurity is not about relying on secrecy of data, but about relying on secrecy of the algorithm or implementation. Those two things are different.

      If you do not make the distinction between data/information secrecy and design/algorithm/protocol/implementation secrecy, then you do not understand what security is.

    13. Re:And now thanks to /. and microsoft by FooAtWFU · · Score: 3, Insightful

      Heck, publicizing the thing is a pretty good show of his intent. If he'd wanted to defraud Microsoft, he'd be keeping quiet about it. This is pretty clearly about disclosing a vulnerability, not "bragging" about defrauding a large corporation.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    14. Re:And now thanks to /. and microsoft by rev_g33k_101 · · Score: 5, Funny

      The results are so haphazard, it feels like their parody of google is what actually drives Bing.

      I don't know how this late in the game a search engine can be so bad.

      answer:

      Because
      It's
      Not
      Google

      It's all in the name :D

      --
      "The problem with defending the purity of the English language is that English is about as pure as a cribhouse whore."
    15. Re:And now thanks to /. and microsoft by NekSnappa · · Score: 4, Funny

      Common man! This is /. so it has to be self-referencing
      Bing
      Is
      Not
      Google

      --
      I want to shoot the messenger!
  2. How does he know MS isn't doing anything else? by blankinthefill · · Score: 5, Insightful

    I'm curious how 'anonymous reader' knows that Microsoft is doing nothing to fix the problem. This has been bugging me for a long time. Its possible that a workable solution could take some time to get implemented, and in that time, doesn't it make sense to send a C&D letter in the interim? Hell, doesn't it make sense to send the letter anyways, so you don't have all these assholes trying to break your system? A C&D letter doesn't mean that other actions haven't been taken. Just a thought.

    1. Re:How does he know MS isn't doing anything else? by Anonymous Coward · · Score: 3, Funny

      Uh? Cash back is negative income for Microsoft, and as a lawyer who sends C&Ds for a living, I am offended by the fact that you call that "doing nothing".

    2. Re:How does he know MS isn't doing anything else? by MadnessASAP · · Score: 4, Insightful

      Ever heard of the Streisand effect? If you're trying to suppress information about something a C&D is the last thing you want to do. Furthermore many companies when put in an identical situation will respond with "Thank you we are aware of the problem and are currently working on it" rather then a C&D.

      Also you sound like a schizophrenic jackass.

      --
      I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
    3. Re:How does he know MS isn't doing anything else? by Chrisq · · Score: 4, Insightful

      If they had any sense they would have anticipated the Streisand affect. It would have been much more effective to tell him the situation, ask him to remove the post and offer him whatever they paid their lawyers to issue the injunction as a "good will" gesture. That way if he did release it then he'd look like an @sshole rather than a victim.

    4. Re:How does he know MS isn't doing anything else? by mdenham · · Score: 3, Funny

      You're right, sending C&Ds isn't doing nothing.

      It's actively producing negative work, turning productively spent time into wasted time.

      So congratulations, you're doing less than nothing!

    5. Re:How does he know MS isn't doing anything else? by neothoron · · Score: 5, Interesting

      Problem is, sending a C&D letter is doubly ineffective:

      • it barely has any effect in keeping potential exploiters from getting access to the vulnerability;
      • someone who cared enough about MS so that they could better themselves is treated like a nuisance (at best).

      In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:

      • Ask Samir to remove most of the "sensible" post information - you know, instead of threaten with litigation from the get-go.
      • Take an official stance on that problem; what's the risk, who's affected, what should be done - instead of leaving bing cashback clients vulnerable to misinformation and abuse.
    6. Re:How does he know MS isn't doing anything else? by value_added · · Score: 3, Insightful

      As to your first point, most business are very secrative about potentially damaging things. I don't understand why it's surprising when MS acts just like every other large corporation in protecting itself.

      It's a truism, if not a cliche, to point out business are secretive about potentially damaging things.

      The difference here is that the scope of damage extends outside narrow corporate concerns. In such situations, it's both fair and reasonable for customers to expect a certain level of transparency. In many industries, disclosures that negatively affect third parties are mandated by law (cue the car analogies).

      Microsoft has chosen, in historically typical fashion, the complete opposite of transparency. The criticisms are well deserved.

    7. Re:How does he know MS isn't doing anything else? by Anonymous Coward · · Score: 4, Insightful

      C&Ds do work in two cases:

      The first is if the C&D gets out fast enough that people are not unable to mirror the information, especially if it is stored in a dynamic database that can't just be grabbed completely with a wget. One example of this: Say someone makes a keygen app that runs on their webserver, and people submit forms to get bogus serial numbers. A C&D would completely smash this, preventing the information from getting released. Similar if people ran other services that could be nailed by an ACTA or DMCA takedown notice.

      The second is that the information that does escape the C&Ds gets pushed from mainstream sites to the seedy corners of the Internet. These are the same areas that have the dubious filesharing programs, the warez "search engines" and "DDL" sites [1], the "bump all Abloy locks in 2 secs, lulz" [2] text files, and other dodgy sites which tend to be more of a test of browser security than a place to find anything useful. So, unless someone is willing to spend time looking for that exact information on a hardened computer, it effectively has vanished.

      Don't underestimate the power of lawyers. They have the guys with guns on their side.

      [1]: I have DDL, or direct download in quotes because I have yet to personally see a usable direct download other than a Trojan or a drive by browser exploit in all my years of cleaning malware off of people's PCs who do believe in such fantasies.

      [2]: Yes, I know Abloy locks are unbumpable because of their design, but it is a good example. I don't know anything that defeats their latest PROTEC line of locks other than 12-14 hours of painstaking picking by dedicated speedpickers, or a good long session drilling the sucker out.

    8. Re:How does he know MS isn't doing anything else? by lkcl · · Score: 3, Interesting

      it's the lack of thought for consequences of censorship that has me confused. in this day and age, with the overwhelming occurrences of embarrassment that occurs repeatedly over censorship attempts and cover-up attempts, surely businesses would work out by now that a "thank you! we'll fix this IMMEDIATELY! and we'll even pay you some money, and, for anyone else who is listening, we'll pay a BOUNTY to anyone else who privately reports security problems in the future!" approach would make them appear to be a much more enlightened and responsible company. ... or am i just expecting too much?

      .

    9. Re:How does he know MS isn't doing anything else? by mcvos · · Score: 3, Insightful

      and as a lawyer who sends C&Ds for a living...

      Wow, that's sad. That's almost like admitting to being a parking inspector...

      Parking inspectors do important work. They keep parking spaces available for those who really need them. I feel sorry for the abuse they sometimes get.

    10. Re:How does he know MS isn't doing anything else? by mister_playboy · · Score: 4, Interesting

      I wrote parking tickets as a job in college... very easy. My rule was to let people go if they showed up during the ticketing, which resolves every single confrontation in a positive way. If I had to call a tow truck on the car, I had to stand my ground, but only once did I encounter someone who showed up during the process and was a real dick about it.

      The parking services was second only to tuition and the football team in amount of revenue generated for the school. If anything, I could write more tickets by letting the few people I encountered during my work go and moving on to the 98% of cars whose owners don't show up rather than wasting 20 minutes arguing with each of them.

      Easily the least stressful job I've ever had.

      --
      Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
    11. Re:How does he know MS isn't doing anything else? by realityimpaired · · Score: 3, Interesting

      I've had to fight parking tickets in court, though, because they were unjustly given... If the parking space says, for example, that street parking is allowed until 4:00pm, and they write a ticket that's dated 4:01, then it's unreasonable... around here, they're supposed to give you 5 minutes' leeway to allow for differences in how your watch is set. (that's actually in the law in this part of the world).

      Worse still is the time I was given a $300 parking ticket because the jackass who wrote it was more concerned with meeting his quota than he was looking for the accessible parking permit that was clearly displayed on the dashboard... at least, it was clearly displayed until your view of it was blocked by the parking ticket that the idiot put, quite literally, on top of the accessible parking permit. The ticket wasn't for going over time, it was because my car was parked in a handicapped spot, and he hadn't noticed the permit. That one was resolved by a trip to city hall with both the permit and the ticket, but I shouldn't have had to take an afternoon off work because of a blind parking warden.

      I fully agree that parking inspectors do actually do some important work. And I accept that most of them are just trying to do an honest day's work, and trying to actually perform a civic service. But some of the parking wardens are clearly becoming jaded at being the furries of the law-enforcement community, and are taking it out on people by power tripping.

  3. Mirror by Rufus211 · · Score: 4, Informative

    Ive never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Lets see how these transactions might have accidentally got credited to my account.

    First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

    https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

    This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. Im not going to explain exactly how to generate the fake requests so that they actually post, but its not complicated. Bing doesnt seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have cleared, and Im guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

    Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I havent done enough work to say it with confidence, but a malicious user might be able to block another users legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order IDs (e.g. sequential), a malicious user can use up all the future order IDs, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

    Based on what Ive found, I wouldn't implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, Ill demonstrate some other subtle but important reasons to avoid using Bing Cashback.

    It seems like people have still not learned to never trust anything from the user. This reminds me of some trivially exploitable web merchants years ago. The would store the entire shopping basket, including prices, in the user's cookies. User simply modifies their cookies so that everything costs $1 or $0.01 and they could order a dozen cpus / t-shirts / whatever for a few bucks.

    1. Re:Mirror by Rufus211 · · Score: 5, Insightful

      Also the guy who posted this is an idiot for placing a $100,000 transaction which would result in a $2,000 payment, and then bragging about it. His two $1 transactions proved the vulnerability and the $0.06 payment generated is easily ignored. The $100k transaction with $2k payment is just flat out wire fraud asking for federal PMITA prison.

    2. Re:Mirror by slimjim8094 · · Score: 4, Insightful

      Parent is not a troll. This guy is seriously in for it - the FBI et.al frowns upon people who cheat companies out of literally thousands of dollars. The six cents would've been overlooked, and prove the point nicely.

      $2k will certainly not be overlooked. Even if he never collects it... he's still fucked.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    3. Re:Mirror by TheWizardTim · · Score: 5, Funny

      Another fun trick was to take a $1 and a $20 and cut them both in half. Then tape half of the $1 and the $20 to make two $21 dollar bills. Silly I know, but if you put them in a change machine, it would look for the numbers in the corners, it would read a 20 then a 1 and then give you $21 in change. You then took the other part and got $21 in change as well. Quick way to double your money. Now the machines check to make sure that all four numbers on the corners match up.

    4. Re:Mirror by jrumney · · Score: 4, Insightful

      it would read a 20 then a 1 and then give you $21 in change.

      Sounds like an urban myth to me. Would it add 20 and 20 from the corners of a normal $20 bill and give you $40 change?

  4. Most entertaining... by netpixie · · Score: 5, Informative

    is the line from the letter

    "cease and desist the posting in any location of the material and information contained in this post"

    Seeing as it is their SDK that contains the details of this "feature", are they going to send themselves a C&D and then pull the SDK?

  5. Use microsoft == get screwed by 1s44c · · Score: 3, Insightful

    After about 30 years is this still news?

    Use Microsoft software and you get screwed. They don't design software they design the user interface and botch the software. They are now as always a marketing not an IT company. It's always been that way, it will always be that way.

    1. Re:Use microsoft == get screwed by Alex+Belits · · Score: 3, Informative

      Microsoft Research is not "people working for Microsoft", it's "people are paid by Microsoft not to work for Microsoft's competitors". Not a single meaningful Microsoft product or feature came from there.

      --
      Contrary to the popular belief, there indeed is no God.
  6. Source of URL by pgn674 · · Score: 3, Informative

    If anyone is quickly wondering exactly where he got the info to construct the request URL in his original post (like, how did he know about jftid, jfoid, and jfmid?), it looks like page 33 of the linked Integration Guide PDF gives the URL https://ssl.bing.com/cashback/javascripts/1x1tracking.js. That JavaScript file has info on constructing that URL.

  7. No by oGMo · · Score: 5, Insightful

    If you have a glaring vulnerability that lets people defraud your customers out of arbitrary amounts of money, the only sane thing to do is immediately disable the feature. Not wait for a solution. Not cover up the issue. You make coverage of the issue irrelevant. If one person figured it out and wrote about it, 100 other people also figured it out and are using it for personal gain.

    --

    Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

  8. It's called fraud by cookd · · Score: 5, Insightful

    This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.

    Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).

    In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
    1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
    2. Noticed that the cash back did show up with no problem as "available for withdrawal".
    3. Tried again with a much larger purchase. Again the purchase shows up in his account.
    4. Hacker is hoping that the amount will soon become available for withdrawal.

    On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.

    In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.

    Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.

    I hate this attitude out there th

    --
    Time flies like an arrow. Fruit flies like a banana.
    1. Re:It's called fraud by Culture20 · · Score: 3, Interesting

      In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following: 1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account. 2. Noticed that the cash back did show up with no problem as "available for withdrawal". 3. Tried again with a much larger purchase. Again the purchase shows up in his account. 4. Hacker is hoping that the amount will soon become available for withdrawal.

      5. Notified Microsoft about the issue?

      Meanwhile, MS allowed a system where someone could redirect money to *someone else's* account, even an innocent third party. Imagine walking out of a local jewelry store, and the gate drops around you, sirens blare... all because a pickpocket put jewels in your pants. Imagine that instead of all of the sirens and gates, the store owner could have implemented a less expensive alternative that would have completely prevented the thief from doing this. So, the jewelry store is paying more to harass its customers... the store owners must enjoy it.