Background

Bountii.com wrote a blog post which described (and demonstrated) some fairly half-assed security design in Microsoft’s Bing cashback system. I’d link you to it, but it’s now been taken down by the author at the request of Microsoft’s lawyers.

The class of problem we’re talking about

At its core, this is a case of what I’d call trusted-client syndrome.

As an example, imagine company A, company B, and a customer are involved in a transaction. Company A and company B need to exchange some info as part of the transaction, but it’s a real hassle (in 2009!) to integrate their systems directly. I mean, jeez, we’ve already built a customer-facing website, now we gotta build some B2B web services too?

So, to avoid the technical challenge of directly integrating company A and company B’s systems, company A passes transaction info indirectly to company B, via the customer’s browser.

Here’s the problem: as the info passes through the customer’s machine, it can be modified by the customer or by trojan software running on the client machine, allowing a range of attacks to be launched.

Why Microsoft’s position is inconsistent

The problem is this: MS implemented a dodgy design when MS itself believes it’s dodgy.

Over time, I’ve become a little (a little) more open to the school of thought that says “an occasional security hole is okay if the risk of exposure is low; after all, with usual reconciliation business processes, we’ll detect attackers down the track”.

1. Let’s just ignore the implicit assumption that our knowledge of the system is perfect, and that there are no secondary vulnerabilities which would allow an attacker to cover tracks to work around the reconciliation processes.
2. Also, assume that the people doing the reconciliation processes will keep running them :-)  (“hey, why bother recalculating all these per-vendor totals and matching them against our records? The computer already did that for us!” “Awesome. Let’s go to lunch.” “I was just thinking that.” “Me too.” “Hold me.”)

The crux of my argument is this: MS can’t justify this design on “low exposure, high chance of detection” grounds on the one hand, and then also believe it’s worth expunging any mention of the flaw from the internet. Which is it? Acceptable risk or dangerous security flaw? Do you have processes in place to catch discrepancies caused by this vulnerability or not? (Hint: the original bountii post seemed to indicate that the answer is “no”).

The whole thing’s demoralising because it all feels so 2001-ish; I was beginning to hope we were past this kind of crap as a profession. At least the billion-dollar corporate parts of the profession, anyway.

Here’s hoping that this is just a Bing-specific attitude of “time-to-market is more important than that over-engineering approach the Windows and Office nerds take. We’ve got a google to compete with.”