Researchers Point Out XSS Flaws On American Express Site

Flaws could jeopardize users' identities, researchers say
American Express has been wrestling for more than a week with cross-site scripting vulnerabilities that could jeopardize the personal information of its customers, according to security researchers.

Researchers have been reporting vulnerabilities on the Amex site since April, when the first of several cross-site scripting (XSS) flaws was reported. However, researcher Russell McRee caused a stir again just a week ago when he reported newly discovered XSS vulnerabilities on the Amex site.

The vulnerability, which is caused by an input validation deficiency in a get request, can be exploited to harvest session cookies and inject iFrames, exposing Amex site users to a variety of attacks, including identity theft, researchers say. McRee was tipped off to the problem when the Amex site prompted him to shorten his password -- an unusual request in today's security environment, where strong passwords are usually encouraged.

The vulnerability violates the PCI Data Systems Security (PCI DSS) guidelines that Amex itself helped to create, McCree observes.

Aside from the XSS flaws, McRee says he also found a "most informative 500 error page exception." This page revealed potentially sensitive information about the company's Website, revealing it is powered by the Vignette CMS hosted on Apache and IBM WebSphere.

McRee says American Express did not respond to his warnings about the vulnerability. However, in a report issued by The Register on Friday, at least two researchers said they found evidence that American Express had attempted to fix the flaw -- and failed.

"They did not address the problem," says Joshua Abraham, a Web security consultant for Rapid7, a security research firm. "They addressed an instance of the problem. You want to look at the whole application and say, 'Where could similar issues exist?'"

Researcher Kristian Erik Hermansen has crafted a proof-of-concept that shows how a rogue Website could exploit the bug to siphon a person's cookie, which helps authenticate users after they enter their user ID and password.

An Amex spokesperson told The Register that the company is investigating the most recent vulnerability reports, but the researchers say the problems have yet to be completely fixed.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message