Flaws could jeopardize users' identities, researchers say

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 22, 2008

2 Min Read

American Express has been wrestling for more than a week with cross-site scripting vulnerabilities that could jeopardize the personal information of its customers, according to security researchers.

Researchers have been reporting vulnerabilities on the Amex site since April, when the first of several cross-site scripting (XSS) flaws was reported. However, researcher Russell McRee caused a stir again just a week ago when he reported newly discovered XSS vulnerabilities on the Amex site.

The vulnerability, which is caused by an input validation deficiency in a get request, can be exploited to harvest session cookies and inject iFrames, exposing Amex site users to a variety of attacks, including identity theft, researchers say. McRee was tipped off to the problem when the Amex site prompted him to shorten his password -- an unusual request in today's security environment, where strong passwords are usually encouraged.

The vulnerability violates the PCI Data Systems Security (PCI DSS) guidelines that Amex itself helped to create, McCree observes.

Aside from the XSS flaws, McRee says he also found a "most informative 500 error page exception." This page revealed potentially sensitive information about the company's Website, revealing it is powered by the Vignette CMS hosted on Apache and IBM WebSphere.

McRee says American Express did not respond to his warnings about the vulnerability. However, in a report issued by The Register on Friday, at least two researchers said they found evidence that American Express had attempted to fix the flaw -- and failed.

"They did not address the problem," says Joshua Abraham, a Web security consultant for Rapid7, a security research firm. "They addressed an instance of the problem. You want to look at the whole application and say, 'Where could similar issues exist?'"

Researcher Kristian Erik Hermansen has crafted a proof-of-concept that shows how a rogue Website could exploit the bug to siphon a person's americanexpress.com cookie, which helps authenticate users after they enter their user ID and password.

An Amex spokesperson told The Register that the company is investigating the most recent vulnerability reports, but the researchers say the problems have yet to be completely fixed.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights