Microsoft on Wednesday said it is fixing a bug in Bing that allowed spammers to bypass spam filters and distribute malicious links.
Researchers at Webroot Software discovered a spam campaign earlier this week that used the search engine's own redirection mechanism and a link-shrinking technique to send people to spam Web pages, according to a post on the Webroot threat blog.
The problem is with how Bing formats links in RSS feeds. The redirect from Bing to the spam site is not obfuscated, allowing scammers to append anything to the end of the Bing redirect URL and thus trick spam filters, said Andrew Brandt, a threat researcher at Webroot.
In the specific case, Webroot examined an RSS feed in Bing with a link that bounced through MySpace's link shrinker and landed on the spam Web page that looked like a news site customized to the user's geolocation and which offered vague work-from-home jobs.
Asked for comment, a Microsoft representative said late on Wednesday: "We were testing new features to improve the search experience for our customers, and during our testing, we found a bug that was causing this issue. We are taking immediate action and expect a fix in the next 48 hours."
Meanwhile, a MySpace representative had this to say when asked for comment: "The security of our users is a top priority for MySpace. With thousands of link-shortening systems available on the Internet, similar to MySpace's MSPLinks, it is critical that sites like Bing employ security measures such as the prevention of URL redirection."