Feeds

American Express bitten by XSS bugs (again)

Card accounts still naked

The Power of One eBook: Top reasons to choose HP BladeSystem

The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.

The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.

It turns out that's not the case. The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.

Browser with popup window that reads "XSS"

Amex XSS still not fixed

"They did not address the problem," said Joshua D. Abraham, a web-security consultant for Boston-based Rapid7. "They addressed an instance of the problem. You want to look at the whole application and say where could similar issues exist?"

At least two separate sources appeared to discover the XSS hole remained open. Researcher Kristian Erik Hermansen brought it to our attention, and crafted this proof of concept that shows how a rogue website could exploit the bug to siphon a person's americanexpress.com cookie, which helps authenticate users after they enter their user ID and password. A few hours later, Moscow-based SecurityLab.ru put out this advisory.

The botched fix appears to be the result of web developers who fixed the problem for HTTP requestsbased on the get protocol but not the separate post protocol as well.

Browser with popup window that reads "1234"

This bug was first publicly disclosed in April 2007

It came as a separate XSS error on americanexpress.com was brought to our attention. The weakness was publicly disclosed on a security website forum in April 2007, raising questions about the diligence of Amex security employees in sniffing out and fixing vulnerabilities that could be used to defraud the company's customers.

A company spokeswoman said security is a top concern at Amex and said company employees would investigate the two reported vulnerabilities.

We have no reason to doubt the sincerity of her claim that security is important at Amex, but we still can't understand why the company makes it so hard for researchers to report these kind of vulnerabilities. XSS errors typically can be fixed in a matter of minutes. Just think how much better protected customers would be if the company had an email address or section on its website dedicated to vulnerability reports. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.