Microsoft Bing Security Loophole Exposed

A security flaw in Microsoft’s much-hyped Bing search engine has been exposed by US entrepreneur Samir Meghani, enabling users of Bing’s “Cashback” system to pilfer large sums of money without making any online purchases.

Microsoft Cashback was introduced in order to tempt internet users to use its Bing search engine instead of Google. The service enables users to save money when they shop online by paying back a percentage of the purchase price of anything shoppers buy from Bing’s selling partners. These partners include Barnes & Noble, Sears, Overstock.com, Home Depot, J&R Electronics and many others.

However Meghani has discovered that the insertion of a small piece of computer code can result in large sums of money being credited to a user’s account without them having to make any purchases. In a blog post last week he revealed: “I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06.”

“I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated,” he said. “Bing doesn’t seem to be able to detect these fake transactions, at least not right away… I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing.”

He went on to advise merchants not to implement Bing Cashback. “As an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings,” he said.

Microsoft has responded to Meghani’s discovery by threatening legal action against him. In a letter from the company’s lawyers, he is “respectfully requested” to “immediately remove the website” and “cease and desist the posting in any location of the material and information contained in this posting.” Microsoft has also closed Meghani’s Cashback account and has threatened to take “further action to protect its rights” if necessary.

In a second blog post Meghani has explained that “The purpose of my post was to show an implementation problem, not to encourage defrauding Microsoft. I am surprised they would go through this much trouble to make me take down information that is obvious to anyone reading their documentation.”

The flaw in Bing’s security is a big embarrassment for Microsoft, which has spent hundreds of millions of dollars trying to establish the search engine as a serious rival to Google. Microsoft has gained some ground on this front, with Bing being branded the fastest growing search provider in August by research firm Nielsen, with a 10.7 percent share of the US search engine market. However, in October the search engine posted its first drop in market share gains since its June launch, according to data from Hitwise and StatCounter.

“Microsoft is headed in the right direction with Bing and attracting more advertiser dollars,” said SearchIgnite President Roger Barnette. “That said, it’s an uphill battle against Google and there’s still a long way to go before Bing garners a significant amount of the search ad revenue pie.”

Microsoft has also announced this week that the UK launch of its Bing search engine will be delayed until the first quarter of 2010. Bing has been available in the UK in beta form since June, but the company is still reluctant to start marketing Bing in the UK until the search results have been localised, making them more relevant to British users.