Microsoft became aware of a vulnerability in their own bing search engine that allowed for the alteration of search results. They fixed the issue, but it didn’t stop there. Hackers continued to exploit the vulnerability and modify search results. Microsoft was then forced to disable their API completely while they were under attack.
Microsoft’s bing engine has been under fire over the years because of how easily it has been manipulated and abused by hackers. The most notable example was when someone used a simple SQL injection hack to alter search results on Google, bing, Yahoo and DuckDuckGo resulting in an estimated $150 million losses according to one study. This article discusses how this vulnerability made it possible for hackers to manipulate search results on bing by changing content after receiving an authorization response from Microsoft’s API. This vulnerability is also discussed in detail in a recent paper released by security firm Proofpoint which points out that many organizations are using vulnerable APIs without understanding or realizing their potential risks.
The unfortunate thing is that despite the exploit being fixed, it still has a lasting effect on how people use bing. With a set of rules, Microsoft has shown that they claim to be one step ahead of Google in terms of quality and numbers.
Microsoft has made a few mistakes in their implementation of the bing search engine and its launch. Most notably, they have created a more centralized search engine model which is at odds with their original vision, which was to give users flexibility and power over where to search.