Feeds

American Express bitten by XSS bugs (again)

Card accounts still naked

Intelligent flash storage arrays

The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.

The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.

It turns out that's not the case. The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.

Browser with popup window that reads "XSS"

Amex XSS still not fixed

"They did not address the problem," said Joshua D. Abraham, a web-security consultant for Boston-based Rapid7. "They addressed an instance of the problem. You want to look at the whole application and say where could similar issues exist?"

At least two separate sources appeared to discover the XSS hole remained open. Researcher Kristian Erik Hermansen brought it to our attention, and crafted this proof of concept that shows how a rogue website could exploit the bug to siphon a person's americanexpress.com cookie, which helps authenticate users after they enter their user ID and password. A few hours later, Moscow-based SecurityLab.ru put out this advisory.

The botched fix appears to be the result of web developers who fixed the problem for HTTP requestsbased on the get protocol but not the separate post protocol as well.

Browser with popup window that reads "1234"

This bug was first publicly disclosed in April 2007

It came as a separate XSS error on americanexpress.com was brought to our attention. The weakness was publicly disclosed on a security website forum in April 2007, raising questions about the diligence of Amex security employees in sniffing out and fixing vulnerabilities that could be used to defraud the company's customers.

A company spokeswoman said security is a top concern at Amex and said company employees would investigate the two reported vulnerabilities.

We have no reason to doubt the sincerity of her claim that security is important at Amex, but we still can't understand why the company makes it so hard for researchers to report these kind of vulnerabilities. XSS errors typically can be fixed in a matter of minutes. Just think how much better protected customers would be if the company had an email address or section on its website dedicated to vulnerability reports. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.