[tptacek]

Using URLs to pass data is fine, if skeevy.

Using a publically visible tracking cookie to pass transaction data, though...

Microsoft spends more on security per line-of-code shipped than any company in the world. I have no idea how something this bad could have shipped. But I don't know the whole story.

One possible explanation: web pest tools like Burp filter out images from the request history, because you usually don't bother fuzzing requests for images.

Of course, you usually don't embed dollar amounts in images either.

[UpFromTheGut]

This is funny, but I doubt there is any actual security flaw. I expect that Microsoft will verify these transaction later on with the vendor and throw them out.

[eli]

I'm sure that is true. That's part of the reason it take so long to get paid; they're waiting until the window to return the merchandise expires. My BoA rewards program does the same thing.

[samir]

The six cents balance marked as "available" was also from fake transactions. Those transactions cleared after 60 days. If the system was automated, those transactions should have been canceled. I don't think they will actually do any checks until I try to withdraw the money. I don't plan to try that though. I think the part about blocking another person's transactions is actually the interesting part.

[tptacek]

I agree. It looks bad, though.