A Bing cashback vulnerability has been discovered by Samir Meghani of the Bountii Team.
The flaw exists due to a software API oversight that allows users to fake transactions to Bing. Currently, Bing does not detect these faked transactions. The flaw affects both the customer and merchant. According to Samir, in his original posting, "merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing." Samir detailed that the process was flawed but didn't pin point exactly how to generate fake transactions.
Bing Cashback is an initiative that pays people to search with Bing. Customers can also get cashback rewards, meaning you could get cashback from online purchases made when Bing is used.
In a follow up post over the weekend entitled "Surrendering to Microsoft", Samir posted a legal letter from Microsoft's legal team demanding he remove the original blog post to which he complied. Microsoft also terminated Samir's Bing cash back account. Some may argue that this is a heavy handed approach but clearly Microsoft doesn't take kindly to fraud.
Thanks to Jugalator for the news tip
28 Comments - Add comment