Codexon

It was recently “discovered” (or really just blogged about) by competing website bountii.com that Bing was using a hilariously insecure method for recording “Cashback” purchases.

The cashback program is simply where Microsoft pays you a percentage for searching and shopping through Bing.

The original article was taken down by legal threats probably due to the fact that the author actually exploited it for a couple thousand dollars. Given the nature of the “exploit”, I believe I can safely talk about it vaguely as it as obvious and insecure as a blank check.

Simply put, Bing cashback allows merchants to record cashback purchases with a “tracking pixel” where the url is something like:

http://www.not-a-real-bing-website.com/?bingaccount=43&ordernumber=123&money=499.99

Where you can apparently change the money value and guess the order number.

Original Articles

(Cached from Bountii.com from Bing and Google cache due to legal takedown)

http://cc.bingj.com/cache.aspx?d=4879267570255838&w=a29cc607,9ea4ebc5

http://74.125.155.132/search?q=cache:3hxOgSPu460J:bountii.com/blog/

Related posts:

1. Microsoft Windows XP EULA Fail
2. Google hires laid-off Microsoft evangelist. He then writes a blog post bashing Microsoft.
3. Debunking Google’s Internet Optimization Tips
4. The Sad State of Microsoft Advertisement
5. OKCupid Dating Racism: OKCupid Confirms It