

Bountii on Bing Cashback: It's Broken - jpuskarich
http://bountii.com/blog/2009/11/04/breaking-bing-cashback/

======
chrischen
I used Bing cashback to get 30% off my Macbook Pro from ebay. And I used it
again at 20% off to buy a Nikon D60 (I think, or D80, it was for someone else)
off ebay.

The funny thing is that Microsoft basically paid me about $200 to get a Mac
(it was $200 because that's the max per transaction).

------
maukdaddy
2009 and they are using URLs to pass data? I thought there was a push for
security at Microsoft?

~~~
tptacek
Using URLs to pass data is fine, if skeevy.

Using a publically visible tracking cookie to pass transaction data, though...

Microsoft spends more on security per line-of-code shipped than any company in
the world. I have no idea how something this bad could have shipped. But I
don't know the whole story.

One possible explanation: web pest tools like Burp filter out images from the
request history, because you usually don't bother fuzzing requests for images.

Of course, you usually don't embed dollar amounts in images either.

~~~
UpFromTheGut
This is funny, but I doubt there is any actual security flaw. I expect that
Microsoft will verify these transaction later on with the vendor and throw
them out.

~~~
eli
I'm sure that is true. That's part of the reason it take so long to get paid;
they're waiting until the window to return the merchandise expires. My BoA
rewards program does the same thing.

~~~
samir
The six cents balance marked as "available" was also from fake transactions.
Those transactions cleared after 60 days. If the system was automated, those
transactions should have been canceled. I don't think they will actually do
any checks until I try to withdraw the money. I don't plan to try that though.
I think the part about blocking another person's transactions is actually the
interesting part.

