American Express web bug exposes card holders

16th December 2008

Dan Goodin / The Register

If AmEx takes this as seriously as they claim, they will revoke their own PCI certification for starters. They will publicly disclose who their ASV is or promise to drop them for not finding a simple XSS flaw in their web site during the last PCI certification scan. With their PCI status revoked, they should stop processing credit cards just as the PCI board threatens to do with any merchant that loses PCI compliance status. Failing to do any of this will once again remind the world that the entire PCI DSS compliance standard is little more than a money making scam by the PCI founding members and select QSA/ASVs.

A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says.

Among other things, the cross-site scripting (XSS) error on allows attackers to steal users' authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said Russ McRee of the Holistic Security blog. A URL demonstrating this weakness is here.

McRee aired the American Express dirty laundry here after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered.


main page ATTRITION feedback