Thu, Oct 6, 2011 in News, Web by rameez, Comments Off

Zero-Day Vulnerability On American Express Website Now Closed



American Express say it shut down the webpage that left a portion of its website open for anyone to access in what’s being a called a zero-day security vulnerability, the company says in statement. The security issue was first discovered by developer Niklas Femerstrand, who attempted to reach out to American Express via Twitter in the hopes of being pointed to an email address he could use to send the company further details regarding the issue.

The seemingly confused Twitter rep asked him whether he was an Amex cardholder and offered him a phone number to call, despite his objections to contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead.

According to the blog post (also featured here on Hacker News), Femerstrand discovered that American Express developers had accidentally left an administration panel for website debugging accessible, potentially leaving it open to XSS attacks.

“Hackers could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers,” wrote Femerstrand on his blog post. He also demonstrated a proof-of-concept attack.

What this means is that customer sessions could be hijacked and they could be directed to the American Express website through phishing attacks. The hackers could then harvest their account info, while avoiding having their emails picked up through anti-spam/anti-phishing technologies.

American Express has now responded, stating that the webpage in question is now down:

“We learned this morning that an internal test page created to update promotional offers was temporarily accessible on our US website. The page did not contain CM information such as card number, name or address.  The page in question has been taken down. We are not aware of any information at this time that this vulnerability was used for malicious purposes but we are continuing to investigate.”

There are several other concerns that accompany this particular incident, however. For example, if this was a case of pure oversight, why did American Express specifically remove the page from their robots.txt file? That seems to indicate that the company knew the page was open.

In addition, why are Twitter representatives for a financial services company not aware of the proper email address for security researchers to use? Twitter may be primarily a marketing channel, but sheer ignorance to key terms like “security vulnerability” seems inexcusable when, potentially, private customer information is at stake.

And finally, shouldn’t have Femerstrand tried a little harder to find a legitimate way to contact Amex besides using Twitter? That’s the consensus on Hacker News, Reddit, and even, in some cases, on the blog post itself.

See the original post here:
Zero-Day Vulnerability On American Express Website Now Closed


Comments are closed.

Advertise Here


advertising amazon apple apps asia best windows 8 tutorials daily crunch design & dev disrupt ecommerce enterprise europe facebook fundings & exits gadgets gaming gaming news hacks how to insider inspiration ipad iphone laptops media microsoft mobile news opinion product launches samsung shareables social social media startups tctv technology tutorials twitter united states venture video web design windows 7 gaming windows 8 news

Follow us on twitter

  • Could not connect to Twitter

© Copyright Bitwords Media A New York Web Design Firm. The E-commerce Magazine.

About us

The E-commerce Magazine.

Write for us

We are always looking for experienced writers who can write good original quality posts on Please contact us if you would like us to consider you. Make sure you give us details of your own blog or a link to some articles you have written. Learn more about us