[ISN] American Express web bug exposes card holders

From: InfoSec News <alerts_at_private>
Date: Thu, 18 Dec 2008 03:27:20 -0600 (CST)
http://www.theregister.co.uk/2008/12/16/american_express_website_bug/

By Dan Goodin in San Francisco
The Register
16th December 2008

Updated - A glaring vulnerability on the American Express website has 
unnecessarily put visitors at risk for more than two weeks and violates 
industry regulations governing credit card companies, a security 
researcher says.

Among other things, the cross-site scripting (XSS) error on 
americanexpress.com allows attackers to steal users' authentication 
cookies, which are used to validate American Express customers after 
they enter their login credentials. Depending on how the website is 
designed, miscreants could use the cookies to access customer account 
sections, said Russ McRee of the Holistic Security blog. A URL 
demonstrating this weakness is here.

McRee aired the American Express dirty laundry here after spending more 
than two weeks trying in vain to get someone inside the company to fix 
the problem. After getting no response from lower level employees, he 
emailed a director of a department responsible for information security 
at Amex. None of his emails was answered.

"I believe they have an obligation to respond, even if it's brief and 
callous," McRee told El Reg. "You don't have to be polite. Just fix it."

American Express proudly proclaims itself as a founding member of the 
PCI Security Standards Council, the group that forges the rules 
governing the Payment Card Industry. McRee says PCI's Data Security 
Standards expressly hold that XSS errors are a violation of those rules, 
so Amex's inaction carries a fair amount of irony.

[...]


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Thu Dec 18 2008 - 01:27:20 PST

This archive was generated by hypermail 2.2.0 : Thu Dec 18 2008 - 01:37:17 PST