By Dan Goodin in San Francisco
16th December 2008
Updated - A glaring vulnerability on the American Express website has
unnecessarily put visitors at risk for more than two weeks and violates
industry regulations governing credit card companies, a security
Among other things, the cross-site scripting (XSS) error on
americanexpress.com allows attackers to steal users' authentication
cookies, which are used to validate American Express customers after
they enter their login credentials. Depending on how the website is
designed, miscreants could use the cookies to access customer account
sections, said Russ McRee of the Holistic Security blog. A URL
demonstrating this weakness is here.
McRee aired the American Express dirty laundry here after spending more
than two weeks trying in vain to get someone inside the company to fix
the problem. After getting no response from lower level employees, he
emailed a director of a department responsible for information security
at Amex. None of his emails was answered.
"I believe they have an obligation to respond, even if it's brief and
callous," McRee told El Reg. "You don't have to be polite. Just fix it."
American Express proudly proclaims itself as a founding member of the
PCI Security Standards Council, the group that forges the rules
governing the Payment Card Industry. McRee says PCI's Data Security
Standards expressly hold that XSS errors are a violation of those rules,
so Amex's inaction carries a fair amount of irony.
Help InfoSecNews.org with a donation!