Jayachandran
American Express says it closes the web page, which left some of its Web site open to access what is called a zero-day vulnerability, the company said in a statement. The security problem was discovered by the developer Niklas FemerStrand, who tried to reach out to American Express via Twitter, hoping to be reported to an e-mail, it could be used to send additional information on the question.
Apparent confusion Twitter representative asked if he was the owner of an American Express card and offered a phone number to call, despite his objections Amex contacted by phone, fax or physical mail. In his frustration, instead details of his blog was published by Femerstrand.
According to the blog (also featured here Hacker News), Femerstrand discovered American Express developers accidentally left behind an administration panel for website debugging available, potentially leaving XSS attacks.
"The hacker could inject a Cookie Stealer, combined with jQuery's .hide () collection and biscuits, which may, ironically, make the most use admin panel, a listless American Express developers," wrote Femerstrand his blog. He also demonstrated a proof-of-concept attack.
What this means is that client sessions can be hijacked and could be directed to the website of American Express through phishing attacks. Hackers can then harvest their account information, while avoiding getting their e-mails recovered through anti-spam/anti-phishing technologies.
American Express has responded, saying that the website in question has been reduced:
"We learned this morning that an internal test page is updated promotions were temporarily available to the U.S. site. Page CM did not include the information, including card number, name or address. And Home 'was removed. We are not aware of any information at this stage that the vulnerability has been used for malicious purposes, but we continue to investigate. "
There are a number of other problems that are associated with this particular case, though. For example, if it was a pure application as to why American Express specifically to delete a page in their robots.txt file? This seems to indicate that the company was aware of the page is open.
In addition, because the representatives of financial services Twitter, is not aware of the correct e-mail security researchers can use? Twitter could be mainly a marketing channel, but the ignorance of key terms such as "security weakness" seems unforgivable, when the potential customer information private is at stake.
And finally, should not have Femerstrand tried a little harder to find a way to communicate with Amex, in addition to using Twitter? It is the consensus on Hacker News, Reddit, and even, in some cases, on the blog post itself.
Posted in: 
0 comments:
Post a Comment