Feeds

American Express bitten by XSS bugs (again)

Card accounts still naked

Security for virtualized datacentres

The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.

The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.

It turns out that's not the case. The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.

Browser with popup window that reads "XSS"

Amex XSS still not fixed

"They did not address the problem," said Joshua D. Abraham, a web-security consultant for Boston-based Rapid7. "They addressed an instance of the problem. You want to look at the whole application and say where could similar issues exist?"

At least two separate sources appeared to discover the XSS hole remained open. Researcher Kristian Erik Hermansen brought it to our attention, and crafted this proof of concept that shows how a rogue website could exploit the bug to siphon a person's americanexpress.com cookie, which helps authenticate users after they enter their user ID and password. A few hours later, Moscow-based SecurityLab.ru put out this advisory.

The botched fix appears to be the result of web developers who fixed the problem for HTTP requestsbased on the get protocol but not the separate post protocol as well.

Browser with popup window that reads "1234"

This bug was first publicly disclosed in April 2007

It came as a separate XSS error on americanexpress.com was brought to our attention. The weakness was publicly disclosed on a security website forum in April 2007, raising questions about the diligence of Amex security employees in sniffing out and fixing vulnerabilities that could be used to defraud the company's customers.

A company spokeswoman said security is a top concern at Amex and said company employees would investigate the two reported vulnerabilities.

We have no reason to doubt the sincerity of her claim that security is important at Amex, but we still can't understand why the company makes it so hard for researchers to report these kind of vulnerabilities. XSS errors typically can be fixed in a matter of minutes. Just think how much better protected customers would be if the company had an email address or section on its website dedicated to vulnerability reports. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.