American Express has been wrestling for more than a week with cross-site scripting vulnerabilities that could jeopardize the personal information of its customers, according to security researchers.
Researchers have been reporting vulnerabilities on the Amex site since April, when the first of several cross-site scripting (XSS) flaws was reported. However, researcher Russell McCree caused a stir again just a week ago when he reported newly discovered XSS vulnerabilities on the Amex site.
The vulnerability, which is caused by an input validation deficiency in a get request, can be exploited to harvest session cookies and inject iFrames, exposing Amex site users to a variety of attacks, including identity theft, researchers say. McCree was tipped off to the problem when the Amex site prompted him to shorten his password — an unusual request in today’s security environment, where strong passwords are usually encouraged.
The vulnerability violates the PCI Data Systems Security (PCI DSS) guidelines that Amex itself helped to create, McCree observes.
Aside from the XSS flaws, McCree says he also found a “most informative 500 error page exception.” This page revealed potentially sensitive information about the company’s Website, revealing it is powered by the Vignette CMS hosted on Apache and IBM WebSphere.
McCree says American Express did not respond to his warnings about the vulnerability. However, in a report issued by The Register on Friday, at least two researchers said they found evidence that American Express had attempted to fix the flaw — and failed.
“They did not address the problem,” says Joshua Abraham, a Web security consultant for Rapid7, a security research firm. “They addressed an instance of the problem. You want to look at the whole application and say, ‘Where could similar issues exist?’”
Researcher Kristian Erik Hermansen has crafted a proof-of-concept that shows how a rogue Website could exploit the bug to siphon a person’s americanexpress.com cookie, which helps authenticate users after they enter their user ID and password.
An Amex spokesperson told The Register that the company is investigating the most recent vulnerability reports, but the researchers say the problems have yet to be completely fixed.
Related Posts: On this day...
- KRIV FOX 26 Houston Live report on Air Jordan Shoes - 2011
- A Long Weekend Project: Linux Filesystem Tune-up - 2010
- Badass Mini-Vise - 2010
- Google Drops More Than $1.8 Billion On Newest NYC Office - 2010
- Microsoft loses appeal of XML patent - 2009
- Botnet runners start their own ISPs - 2009
- The EFF ebook buyer's guide to privacy - 2009
- Fennec hits Alpha 2 with speed improvements - 2008
- Top 25 Linux 3D Games - 2007