What is with all the Internet Takedowns?

It seems to me that organizations that should know better are still attempting to remove information from the internet.  First we have the following that was removed due to legal threats (thanks C for pointing this one out);

Google Cache: http://209.85.129.132/search?q=cache:3hxOgSPu460J:bountii.com/blog/+%22I%27ve+never+bought+anything+using+Bing+Cashback,+but+the+balance+of+my+account+is+%242080.06%22&cd=2&hl=en&ct=clnk&gl=ch&client=firefox-a

Breaking Bing Cashback

 Posted November 4th, 2009 by Samir

 I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this: 

https://ssl.search.live.com/cashback/pixel/index? jftid=0&jfoid=<orderid>&jfmid=<merchantid> &m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

 This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

And now we have this taken down (also thank you to C for pointing this out);

http://securitytube.net/Hacking-NASA-with-SQL-Injection-video.aspx

Hacking NASA with SQL Injection Most of us might think that the top sites in the world such as those belonging to NASA, the FBI etc would be very strong on the security front and would be impregnable with simple attacks. However, this might not be really true. In this video, a Romanian hacker c0de.breaker demonstrates how one of NASA’s subdomains is vulnerable to a SQL injection attack.

<This video has been removed due to terms of use violation>

Organizations need to realize that once information has become posted on the Internet – IT IS PUBLIC.  Having sites remove the content does not make it go away or be forgotten.  I’d be interested in any other recent takedowns that have occurred.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: