[Infowarrior] - CORRECTION: Breaking Bing - enter DMCA!
Richard Forno
rforno at infowarrior.org
Tue Nov 10 13:41:09 UTC 2009
My goof -- Microsoft's lawyers didn't cite DMCA, they cited everything
else as reason for the removal of the Bing information from the
Internet. I jumped the gun[1] -- guess I need more coffee this
morning. My apologies! --rf
[1] Usually such 'takedown notices' are DMCA-based.
Begin forwarded message:
> From: Richard Forno <rforno at infowarrior.org>
> Date: November 10, 2009 8:38:01 AM EST
> To: Infowarrior List <infowarrior at attrition.org>
> Subject: [Infowarrior] - Breaking Bing - enter DMCA!
> Reply-To: rforno at infowarrior.org
>
> Not sure how long it will last, but Microsoft appears to be seeking
> the Streissand Effect by going after the guy who first poined this
> little feature out with a DMCA notice. ---rick
>
> Slashdot:
> http://yro.slashdot.org/story/09/11/09/2319233/Microsoft-Tries-To-Censor-Bing-Vulnerability?from=rss
>
> Original Post from Bing's Cache:
> http://cc.bingj.com/cache.aspx?d=4879267570255838&mkt=en-CA&setlang=en-US&w=90157511,9ea4ebc5
>
> Breaking Bing Cashback Posted November 4th, 2009 by Samir
> I’ve never bought anything using Bing Cashback, but the balance of my
> account is $2080.06. Apparently, I placed two $1 orders on January
> 24th of this year, and spent another $104,000 on October 24th. Let’s
> see how these transactions might have “accidentally” got credited to
> my account.
>
> First, we need to try to figure out how transactions get into Bing
> Cashback. Microsoft posted some documentation here. The explanation of
> how a merchant reports transactions to Bing starts on page 20.
> Merchants have a few options for reporting, but Bing suggests using a
> tracking pixel. Basically, the merchant adds a tracking pixel to their
> order confirmation page, which will report the the transaction details
> back to Bing. The request for the tracking pixel looks something like
> this:
>
> https://ssl.search.live.com/cashback/pixel/index?
> jftid=0&jfoid=<orderid>&jfmid=<merchantid>
> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>
> This implementation, while easy for the merchant, has an obvious flaw.
> Anyone can simulate the tracking pixel requests, and post fake
> transactions to Bing. I’m not going to explain exactly how to generate
> the fake requests so that they actually post, but it’s not
> complicated. Bing doesn’t seem to be able to detect these fake
> transactions, at least not right away. The six cents I earned in
> January have “cleared,” and I’m guessing the remaining $2080 will
> clear on schedule, unless there is some manual intervention.
>
> Even if Bing detects these fake transactions at some point in the
> future, the current implementation might have another interesting side
> effect. I haven’t done enough work to say it with confidence, but a
> malicious user might be able to block another user’s legitimate
> purchases from being reported correctly by Bing (I only tried this
> once, but it seemed to work). Posting a transaction to Bing requires
> sending them an order ID in the request. Bing performs a reasonable
> sanity check on the order ID, and will not post a transaction that
> repeats a previously reported order ID. When a store uses predictable
> order ID’s (e.g. sequential), a malicious user can “use up” all the
> future order ID’s, and cause legitimate transactions to be ignored.
> Reporting would be effectively down for days, causing a customer
> service nightmare for both Bing and the merchant.
>
> Based on what I’ve found, I wouldn’t implement Bing Cashback if I were
> a merchant. And, as an end user and bargain hunter, it does not seem
> smart to rely on Bing Cashback for savings. In our next blog post,
> I’ll demonstrate some other subtle but important reasons to avoid
> using Bing Cashback.
> _______________________________________________
> Infowarrior mailing list
> Infowarrior at attrition.org
> https://attrition.org/mailman/listinfo/infowarrior
>
More information about the Infowarrior
mailing list