0day Full disclosure: American Express

When somebody voluntarily contacts a company and repeatedly mentions words like “security vulnerability” and “hacker” one would think the company would act as quickly as possible. At least all of the companies that I’ve been in touch with regarding security issues have. This time the experience streak changed drastically. To my great surprise American Express doesn’t allow anybody to contact them. Instead, you’re sent through their ten-year-old copyright noticed website’s first line support jungle to be attacked with questions ensuring that you’re a paying customer. If you’re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.

The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.

AMEX Tweet conversation

With the pesky, but relevantly necessary, introduction out of the way: let’s focus on the concrete security disclosure. A little “oops” that one of the developers left behind unprotected breaches many parts of American Express’ security in one hit, one might say that this mistake is a multikill. On https://www.americanexpress.com/us/admin/ you’ll find the following admin panel:

The left column is a list of, what the American Express developers call “heroes”, for the current period. (Most people call them “news”.) The list is downloadable as a CSV file and the contents are completely harmless:

"ID","Status","Type","Description","Path"
"10026","Inactive","In Development","NN105 - Brand - JD Power 5 Year Win Midas","/us/heroes/10026-Brand-JDPower5thYearMidas/hero.html"
"10025","Inactive","In Development","NN135 - Brand - Vente Privee","/us/heroes/10025-Brand-VentePrivee/hero.html"
"10022","Active","Prospect & Cardmember","NM280 - Travel - MIDAS Help Is On the Way","/us/heroes/10022-Travel-HelpIsOnTheWay/hero.html"
"10021","Active","Prospect & Cardmember","NM207 - Travel - Travel Pier Sept 2011","/us/heroes/10021-Travel-TravelPierSept2011/hero.html"
"10020","Active","Prospect & Cardmember","NL986 - Brand - JD Power 5 Year Win","/us/heroes/10020-Brand-JDPower5thYear/hero.html"
"10018","Active","Prospect & Cardmember","NL872 - OPEN - Business Rewards Gold","/us/heroes/10018-OPEN-BusinessRewardsGold/hero.html"
"10014","Active","Prospect & Cardmember","Brand - AMEX Facebook Sync","/us/heroes/10014-Brand-FacebookSync/hero.html"
"10012","Active","Prospect & Cardmember","Brand - AMEX Foursquare Sync","/us/heroes/10012-Brand-FoursquareSync/hero.html"
"10002","Active","Prospect & Cardmember","Mobile - AMEX Mobile Services","/us/heroes/10002-Mobile-MobileServices/hero.html"
"10024","Active","Cardmember","NN047 - Brand - Profile and Preferences","/us/heroes/10024-Brand-ProfileandPreferences/hero.html"
"10023","Active","Cardmember (PZN Only)","NM612 - OPEN - PZN Business Rewards Gold","/us/heroes/10023-OPEN-PznBusinessRewardsGold/hero.html"
"10017","Active","Cardmember (PZN Only)","NL766 - CCSG - MIDAS Platinum Benefits","/us/heroes/10017-CCSG-PlatinumBenefits/hero.html"
"10016","Active","Cardmember (PZN Only)","NL767 - OPEN - MIDAS Platinum Benefits","/us/heroes/10016-OPEN-PlatinumBenefits/hero.html"
"10019","Inactive","Expired","Brand - 911 Tribute Movement","/us/heroes/10019-Brand-911TributeMovement/hero.html"
"10015","Inactive","Expired","Entertainment - USOPEN Total Immersion","/us/heroes/10015-Entertainment-USOPENTotalImmersion/hero.html"
"10013","Inactive","Expired","Brand - AMEX Facebook Sync","/us/heroes/10013-Brand-FacebookSync/hero.html"
"10011","Inactive","Expired","OPEN - Big Break","/us/heroes/10011-Open-SmallBusiness/hero.html"
"10010","Inactive","Expired","Rewards-MillionPointContest","/us/heroes/10010-Rewards-MillionPointContest/hero.html"
"10009","Inactive","Expired","Entertainment - US OPEN Pre-Sale","/us/heroes/10009-Entertainment-USOPENPreSale/hero.html"
"10008","Inactive","Expired","Travel - Get Your Feet Wet","/us/heroes/10008-Travel-GetYourFeetWet/hero.html"
"10007","Inactive","Expired","Membership Rewards - Social Currency","/us/heroes/10007-Rewards-SocialCurrency/hero.html"
"10006","Inactive","Expired","Mobile - Million Downloads","/us/heroes/10006-Mobile-MillionDownloads/hero.html"
"10005","Inactive","Expired","Brand - US Homepage Launch","/us/heroes/10005-Brand-USHomepageLaunch/hero.html"
"10003","Inactive","Expired","Brand - AMEX Members Project","/us/heroes/10003-Brand-MembersProject/hero.html"
"10004","Inactive","Expired","Membership Rewards - Social Currency","/us/heroes/10004-Rewards-SocialCurrency/hero.html"
"10001","Inactive","Expired","NPL - Zync Homepage Promo","/us/heroes/10001-NPL-Zync/hero.html"
"20001","Inactive","Expired","Brand - JD Power & Associates 2010 (Prospect)","/us/heroes/20001-Brand-JDPower2010/hero.html"
"30001","Inactive","Expired","Brand - JD Power & Associates 2010 (Cardmember)","/us/heroes/30001-Brand-JDPower2010/hero.html"
"99001","Inactive","Expired","Animation Prototype","/us/heroes/99001-FPO-PowerOfMembership/hero.html"

The right column of the admin panel consists of what the developers call “cardmember cookies” and options for setting them with various parameters. The cookies are then used for viewing the heroes with various user permissions for debugging. A JavaScript comment gives an idea of how such an important thing as the admin debugging could be left wide open:

/* don't ask me how exactly, but this gets the main
domain froma  hostname; */

Adobe DigitalPulse v3 was also left behind fully accessible by anyone:

I must say their debug window impressed me. It’s a fancy little jQuery using div that I’m very sure that the developers enjoy using:

Understandably developers get sloppy around security implementations in debug features. Ironically, this becomes a direct threat in a case where a company’s developers don’t protect their debugging tools from the public. The debugging tool is vulnerable to XSS and it quickly becomes an issue when the debugging tools are called through unprotected GET parameters. Proof of concept (read warning below): https://www.americanexpress.com/?debug=true&heroOverride=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%68%61%78%27%29%3c%2f%73%63%72%69%70%74%3e

The debug window refreshes itself so injected code that doesn’t break the loop will execute infinitely. An attacker could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers.

Let’s hope American Express resolve these issues ASAP :-)

128 Responses to “0day Full disclosure: American Express”

  1. Apachez Says:

    Nice! :-)

    fapfapfapfapfapfap =)

  2. devquote Says:

    OUCH :]

  3. shiii Says:

    w00t t00w

  4. Zoot Says:

    OMG :O !!!

  5. tosubscribe Says:

    wow

  6. Mihai Says:

    Fail =)))))

  7. alibert Says:

    The financial crises hit AMEX, so they cut security? :)

    But HEY, at least SSL!

  8. F0x Says:

    They failed so hard.

  9. Alfie Says:

    Surely this is just a honeypot?

  10. Ntis Says:

    Unbelievable, After 15 hours still fully opened 4 ATTACK.. Very Sloppy.

    Great find.

  11. Anonymous Says:

    HAHAHAHA! I love you :-D Stupid, stupid, stupid AmEx :-p

  12. Jackie Singh Says:

    Great job. Wonder if they’ll take notice now?

  13. Jack Says:

    Still live as of 8:30am EST Oct 6. Morons.

  14. Jay Freeman (saurik) Says:

    I’m sorry, but you failed to explain why calling the number they provided was unacceptable. Also, the fact that the person on the other end of the Twitter conversation was willing to DM you, and you seemingly refused, claiming here that you only wish to communicate using a “modern protocol” (as if e-mail is somehow more modern than Twitter) is very confusing and not well motivated by your article. To be honest, it just sounds like you wanted to write a nasty article: congratulations.

  15. Dan Says:

    Would you be able to post an update if/when you get any update on this? i would suspect something this insane might even get a cease and decist order if they cant fix it right away…

  16. Kite Says:

    it works!

  17. illobo Says:

    have you tried this ?

    Technical Contact:
    American Express / AEDR
    American Express / AEDR
    18850 N 56th Street IPC AZ-36-02-13
    Phoenix, AZ 85054
    US
    Phone: +1 602-537-0000
    Email: [email protected]
    or Email: [email protected]

  18. Embarassing Screenshots : American Express Websites admin page is open to the public | Kudithipudi.Org Says:

    [...] Details : http://qnrq.se/full-disclosure-american-express/ [...]

  19. AM Says:

    It’s amazing to follow the @AskAmex tweets and see how dangerous it is to put your company’s people-facing power in the hands of low-level people who just can’t seem to understand the importance of some issues.

    It’s both a training and policy problem.

    Just ridiculous that the page is still live.

  20. Charles Killmer Says:

    Also, SSL is not technically enforced. It only suggested after the page loads. PCI counsel member, suffering from a PCI violation? PCI is tough. :)

  21. Max Niederhofer Says:

    The sweet thing: they knew this was open. They even took it out of their robots.txt :)

    https://www.americanexpress.com/robots.txt

    User-agent: *
    Disallow: /us/admin/
    Disallow: /us/heroes/
    Allow:

  22. Tarp Says:

    I can’t think of a better company for something like this to happen to! Screw AMEX!

  23. Duncan Bayne Says:

    Sorry, but it’s just not that hard to report the issue to American Express. I called American Express in Australia, was transferred through to the US, and had the issue escalated within 20 minutes.

    Details here: http://news.ycombinator.com/item?id=3079627.

  24. Duncan Bayne Says:

    Sorry, that link should have been: http://news.ycombinator.com/item?id=3080080.

  25. Troy Says:

    The comment at http://news.ycombinator.com/item?id=3080192 says it well. Quoting here:

    “I for one think it’s a seriously unrealistic expectation to think that AMEX or insert large corp here will handle security vulnerabilities over twitter.

    It’s the equivalent of telling a teller or their doorman about it.”

  26. IndividualRich Says:

    Erm, I might be canceling my card

  27. Jan Says:

    Did it go offline now?

  28. coldtobi Says:

    Escalation: 1 email

    Priceless: Vul still there.

  29. pepper Says:

    “Just to clarify: I have vulnerabilities.” – I would generally also not talk to people who are unable to express themselves. Especially not regarding security.

  30. Niklas Femerstrand Says:

    @pepper:

    >> I would generally also not talk to people who are unable to express themselves.
    >> Especially not regarding security.

    You wouldn’t talk to people that live in countries where English isn’t the main spoken language? That’s sad. :-)

  31. France Roy Says:

    This has been resolved. Amex needs another route for handling issues like this as articles on Hackernews are very efficient :p

  32. American Express, victime d’une faille de sécurité importante, ignore les avertissements | {niKo[piK]} Says:

    [...] Source *{margin:0; padding:0;} ul{ list-style:none;} #socialbuttonnav {width:90%; overflow:hidden;margin:0 auto;} #socialbuttonnav li{background:none;overflow:hidden;width:65px; height:80px; line-height:30px; margin-right:2px; float:left; text-align:center;} #fb { text-align:center;border:none; } #fb iframe {text-align: center;float:left; } [...]

  33. How Security Relates to Your Brand « Yay Liam! Says:

    [...] the problem you need to beware of isn’t just what can be done. It’s also about how bad someone can make your brand look with a post to a website after they have found issues. Depending on your business — it’s [...]

  34. Hilbert Says:

    Shame on you. You couldn’t try the email mentioned on the Amex site (at least that’s not mentioned anywhere) and after a few hours of waiting, you released a tutorial for an exploit. The ones who are damaged most by this are the customers, not Amex. And seriously, twitter as a contact form for a security hole? That’s ridiculous

  35. Niklas Femerstrand Says:

    @Hilbert: What email? The one that requires you to be a cardmember to use? I’m not a customer, and they only offer email contact to those. I didn’t use Twitter as a contact form for a security hole, I used Twitter asking for where to submit the info. They couldn’t provide me with such a place.

    Shame on me.

  36. lustige Bilder - Seite 52 Says:

    [...] [...]

  37. Softwareentwickler Zitate / Humor - Seite 5 - inQuake Forum Says:

    [...] bei fefe gefunden: qnrq» Blog Archive » 0day Full disclosure: American Express Kein Schenkelklopfer, aber ich verspürte doch einige mal den Reflex mit der flachen Hand vor die [...]

  38. Dan Says:

    This is kind of lame. You sound like a real tool. First, you demand to talk to a company that you aren’t paying in the medium of YOUR choice as opposed to the numerous methods they provided for you, and then post a hack that could directly harm people. I’m not 100% sure about the legality of posting something like this, but my uncle will, so I’ll be sure to forward it to him in the amex legal department. I do know damn well that it isn’t very ethical. I hope you’re proud of yourself.

  39. illobo Says:

    @Niklas

    yes! shame on you !

    is a WHOIS query too complex to do ? that’s not responsible security that’s terrorism :) I understand your excitement for this vulnerability, and all the hits on your blog because of that but … live with the critics at least :)

    (also, why not implement a normal captcha ? ‘copy this password’ is kinda lame to be honest..)

  40. Niklas Femerstrand Says:

    @illobo

    >> live with the critics at least :)

    Oh, I do! :-) If you think an email to their domain admin would’ve changed anything at this rate, you haven’t been around much.

    Thanks for the terrorist compliment!

  41. Apo Says:

    I think he did the right thing. Why is the shoe on him? Why should he pay money for a phone call? Its not like he is getting anything from helping them. Well i guess he did get something. A bad mood after dealing with them! :)

  42. Sicherheitsprobleme auf Americanexpress.com Says:

    [...] Quelle: qnrq.se [...]

  43. qnrq» Blog Archive » 0day Full disclosure: American Express | Get Credit Score Reports Says:

    [...] Read more here: qnrq» Blog Archive » 0day Full disclosure: American Express [...]

  44. Hugh Says:

    Interesting story. The refusal of companies to provide an email address is generally seen as a cost saving measure. These email addresses can be cluttered with spam and other nonsense email.

    Having said that, they will spend money to respond to tweets so why not email?

  45. HONEY Says:

    @Niklas Femerstrand Hey man good for you. F00k the h8trs. Responsible companies are supposed to have an easy-to-get-to submit portal or contact information for vulnerabilities. The fact that Amex does not, is fail, and hopefully this incident will make a portal/contact info happen…THEREFORE you effectively disclosed a vulnerability AND potentially may provoke a change in AMex’s accepting methods for vulnerabilities. It is a #FD #win a #whitehatwin #securitywin
    Don’t even respond to the n00bs who don’t get it :D ++

  46. Yagbad Says:

    What happened when you emailed the following email aliases?

    security@americanexpr[email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    -Yagbad

  47. Rogan Dawes Says:

    Anyone try using one of the cookies listed there to see what session it gave access to? I think there was a bit more to the exposure than was actually mentioned here.

  48. illobo Says:

    @Niklas see what Yagbad says too .. imho you should have tried at least to contact em via e-mail first, then start your twitter sheningans …

    I still do believe you’ll get an answer from them, I _assume_ they should have at least a security officer in their organization… maybe I’m too optimistic but for feck’s sake it’s amex !

  49. JMHM Says:

    Wow, I am amazed by all the hate on Niklas. He found a gaping hole that’s easy to exploit. Not some obscure method to circumvent security. He’s trying to contact a non-paying corporation, as a favor to them and especially their customers.

    It is almost hilarious that an attempt to privately disclose a 0day attracts outrage along the lines of “he didn’t try hard enough!”. Just 10 years ago “white hatting” wasn’t as widespread as it is today, and 0days were income opportunities for sec-industry and criminals alike. My point is – for the dim-witted – that we should thank all people who provide these unpaid contributions to increasing security.

  50. » American Express i duża wtopa programistów -- Niebezpiecznik.pl -- Says:

    [...] jednak Niklas Femerstrand zdecydował się na full disclosure i opublikowanie szczegółów błędu na swoim blogu, zapytał [...]

  51. rura Says:

    I agree: this going public in a frenzy was neither professional nor in any way reasonable!
    Do you know how many nutz are out there? If you want to talk to a 3 piece suit, dont bump him up in a surfers outfit!
    And yes: the vulnerability was not yet proven as such, did he hope some sql-inject script kiddie would pick it up and drop the entire userbase on some server?? If so: shame-lame-insane…get a treatment!

  52. Niklas Femerstrand Says:

    @rura:

    There was never any risk of an SQL-injection in what I reported.

    Criticize my actions all you want, but take your mental illness accusations elsewhere. Thanks.

  53. Zero-Day Vulnerability On American Express Website Now Closed | TechCrunch Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  54. Zero-Day Vulnerability On American Express Website Now Closed | Technology Blog Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  55. BRIL The Future Is Bright Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead. Category : [...]

  56. Zero-Day Vulnerability On American Express Website Now Closed | Corcoran News | Corcoran Local News Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  57. Zero-Day Vulnerability On American Express Website Now Closed | WhoCrunch Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  58. Zero-Day Vulnerability On American Express Website Now Closed | brianduprix Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  59. Zero-Day Vulnerability On American Express Website Now Closed - TechDaily Gizmo News Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  60. Zero-Day Vulnerability On American Express Website Now Closed | Savage News Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  61. Zero-Day Vulnerability On American Express Website Now Closed | FlexBeta Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead. TechCrunch Tech NewsAmerican, Closed, Express, vulnerability, website, ZeroDay [...]

  62. Zero-Day Vulnerability On American Express Website Now Closed | 567 Technology Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  63. Zero-Day Vulnerability On American Express Website Now Closed | Technology and Machines Says:

    [...] fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  64. Zero-Day Vulnerability On American Express Website Now Closed | Excelsior News | Excelsior Local News Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  65. Facebook Money Machine Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  66. Zero-Day Vulnerability On American Express Website Now Closed | MakeNoise : MakeNoise Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead.According to the blog post (also featured here on Hacker News), Femerstrand discovered that [...]

  67. Zero-Day Vulnerability On American Express Website Now Closed | The Wall Street Geek Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  68. Zero-Day Vulnerability On American Express Website Now Closed Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  69. Me Blog − qnrq» Blog Archive » 0day Full disclosure: American Express Says:

    [...] Originally posted here: qnrq» Blog Archive » 0day Full disclosure: American Express [...]

  70. facebook online » Zero-Day Vulnerability On American Express Website Now Closed Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  71. Of Web Apps, Smartphones and Data Leaks – Says:

    [...] the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. [...]

  72. Zero-Day Vulnerability On American Express Website Now Closed | ShoutReview Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  73. Zero-Day Vulnerability On American Express Website Now Closed | 香港新媒體協會 Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead.   If you enjoyed this article, please consider sharing [...]

  74. - Excitement For All Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  75. qnrq» Blog Archive » 0day Full disclosure: American Express « Blogme Says:

    [...] original post here: qnrq» Blog Archive » 0day Full disclosure: American Express Tags: aber-ich, archive, einige-mal, fefe-gefunden, mit-der, reflex, rte-doch, schenkelklopfer, [...]

  76. Zero-Day Vulnerability On American Express Website Now Closed | Krantenkoppen Tech Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  77. Zero-Day Vulnerability On American Express Website Now Closed | Startup Help Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  78. Zero-Day Vulnerability On American Express Website Now Closed - Latest Technology Trends Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  79. Blogme » qnrq» Blog Archive » 0day Full disclosure: American Express Says:

    [...] See the rest here: qnrq» Blog Archive » 0day Full disclosure: American Express [...]

  80. shwb-6 » Zero-Day Vulnerability On American Express Website Now Closed Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  81. Patrick Daly Says:

    Staring with, “Should I inform you publicly?” shows that you were excited to have found a vulnerability and wanted to share this publicly. If you actually cared about the issue then you wouldn’t have posted this.

    I’ll never understand the kids like you that think the best solution is to go public with something that could potentially harm lots of people. Pick up the phone.

  82. Zero-Day Vulnerability On American Express Website Now Closed | The Good NET Guide Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  83. Zero-Day Vulnerability On American Express Website Now Closed - The Review Blog Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  84. Zero-Day Vulnerability On American Express Website Now Closed | codelodge.com Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  85. Zero-Day Vulnerability On American Express Website Now Closed | Bitmag Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  86. Limdul Says:

    Niklas,

    Screw the ‘you unethical monster’ crowd. Big company’s should be a little more flexible with all the hacking flying around.

    I’m just sad someone without all these silly ‘morals’ didn’t jump in and clear my debt for me =/

    Keep on exposing those 0-days!

  87. Zero-Day Vulnerability On American Express Website Now Closed « News « Video Movie Tube Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  88. steve Says:

    30 seconds of google-fu exposes multiple points of contact at AMEX. Have you reported/disclosed a vulnerability before? While the outsourcing of customer support is the root cause of the stupidity, I cannot help to think that maybe a tiny bit of additional work would have prevented it.

  89. Zero-Day Vulnerability On American Express Website Now Closed | energizer Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  90. Zero-Day Vulnerability On American Express Website Now Closed | All Talks About Technology & Games Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  91. Zero-Day Vulnerability On American Express Website Now Closed « Whella – Latest News on Wireless Topics Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  92. 0day Full disclosure: American Express Says:

    [...] [...]

  93. Someone Says:

    +1

    nice finding.

    and regarding all those “haters who gonna hate”: the old story, killing the messenger … it can be frustrating, trying to get someone in charge to ack a problem. i stick to the open source dogma: release eraly, release often ;-)

  94. Bananas Development Blog Says:

    Sicherheit, was ist das……

    Oh man, da kommen mal wieder Sicherheitslücken zu Tage, die echt schmerzen. • Hetzner: Soweit wir es derzeit rekonstruieren können, war es dem Angreifer möglich, auf interne Kundendaten der Hetzner Online Administrationssysteme zuzugreifen. …

  95. Zero-Day Vulnerability On American Express Website Now Closed | Lanka Weekly Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  96. TechShadez » Zero-Day Vulnerability On American Express Website Now Closed Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  97. Thomas Says:

    I think it was ok to spread this information in public!

  98. Zero-Day Vulnerability On American Express Website Now Closed | Gas Rebate Ticket Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  99. Zero-Day Vulnerability On American Express Website Now Closed | shwb-3 Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  100. i8strict9 Says:

    Pay no attention to the “elites”, you did the right thing. Many company’s do not offer a way to reach them for technical issues with a site and regulations and scripts keep the employees in a state of not being able to deal with the “unforeseen” events which can occur.

  101. belef Says:

    The same in Austria, [email protected], blocks hints about vulnerabilities on ELBA-accounting due – virus-protection…

    If “smart” or “intelligent” or something like these buzz-words are assumed to be simply imbecillity (“AI=Artificial Imbecillity”) that hits it…

    belef

  102. doch1 Says:

    @Jay Freeman (saurik):
    You know that you can DM only someone who is FOLLOWING YOU, do you?

  103. Moredread Says:

    IMO you did the right thing. If they have a vulnerability and you can’t contact them with a reasonable amount of work and resources than that’s their loss. Full disclosure is the only thing that reliable helps.

  104. American Express liet adminpanel voor site-debugging openstaan | Techcube Says:

    [...] cookies’. Ook de Adobe DigitalPulse v3-debugger was publiekelijk toegankelijk, ontdekte ontwikkelaar Niklas [...]

  105. Zero-Day Vulnerability On American Express Website Now Closed | Here I Talk Only About Games & Tech Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  106. Developer function enables phishing at American Express | CYBERSEECURE Says:

    [...] H Security Posted on October 7, 2011 by YPNo Comments Security specialist Niklas Femerstrand has discovered a hole on the American Express web site that attackers can use to steal, among other things, the login [...]

  107. Brian Says:

    They really could have prevented this, which is what you are pointing out here I guess.

  108. Hey corporations: Provide a easy way to disclose vulnerabilities to you! | Break & Enter Says:

    [...] Secure Development by Carsten — Leave a comment October 7, 2011 Lately I’ve seen several cases where people openly discuss discovered web vulnerabilities in big corporations’ web [...]

  109. Hey corporations: Provide a easy way to disclose vulnerabilities to you! | National Cyber Security Says:

    [...] I’ve seen several cases where people openly discuss discovered web vulnerabilities in big corporations’ web [...]

  110. ste williams » AmEx ‘debug mode left site wide open’, says hacker Says:

    [...] went public with his findings on Wednesday – posting what appears to be a harmless proof-of-concept [...]

  111. Zero-Day Vulnerability On American Express Website Now Closed « Online Contact Management « Online Contact Management Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  112. Talk 142: He’s dead Jim | RadioTux GNU/Linux Says:

    [...] AMEX hat ein 0day und schert sich nen dreck: admin/debug interface auf website ist offen [...]

  113. Zero-Day Vulnerability On American Express Website Now Closed | Meaning Vocational Education and Training Says:

    [...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]

  114. AmEx ‘debug mode left site wide open’, says hacker | Exploit-ID - Exploit Information Disclosure Says:

    [...] went public with his findings on Wednesday – posting what appears to be a harmless proof-of-concept [...]

  115. Some1 Says:

    Nicely coined (if original) “first line support jungle ”
    And you are correct, most of such companies believe focusing more on customers trying to contact the,.
    I have seen a company which requires the customer to log-in in order to contact or query about anything !
    BTW posting on your blog too requires one to give an email address.. WHY ?

  116. Niklas Femerstrand Says:

    @Some1:

    >> BTW posting on your blog too requires one to give an email address.. WHY ?

    I’m not sure, it seems to be some WordPress standard. I find it annoying as hell myself, I’ll look into disabling it when I get the time to look into it. If you know how to from the top of your head, please let me know :-)

    Update: It’s removed now.

  117. Grave falla nel sito di American Express | Segfault.it Says:

    [...] scoperto la falla ha applicato la Responsable Disclosure, malgrado abbia davvero dovuto faticare (a sua detta) per entrare in contatto con un responsabile del portale (della serie: a meno che non sei [...]

  118. Episode 491 – Thought Crime, Drone Pwnage, AMEX, Diebold, Pirate Bay, Codeine, 66% & Federal Trojan | InfoSec Daily Says:

    [...] Source: http://qnrq.se/full-disclosure-american-express/ [...]

  119. Межсайтовый скриптинг на сайте American Express | Банкомёт Says:

    [...] опубликовал свое "открытие" в среду – в сообщении с POC иллюстрацией [...]

  120. Falha de Segurança Compromete Site da American Express | InvasaoHacking.com - Downloads, Video Aulas e Tutoriais sobre Hacker, Trojans, Keyloggers, Worms, Malwares, Virus, phishing, Exploit, Shells, Defacer, banking, carding, Hackear orkut, Hackear Msn, Says:

    [...] Saiba Mais: [1] 0-Day Full Disclosure American Express http://qnrq.se/full-disclosure-american-express/ [...]

  121. Anthony Says:

    If you think AmEx’s website is bad, take a look at Discover Card’s. No SSL on the landing page (and possibly others behind the scenes once you log in).

    Oh, and if you need to re-register a replacement card on their site, they are kind enough to email you your existing password as a friendly reminder in CLEARTEXT. Talk about major FAIL on the part of Discover Financial Services, a bank and one of the U.S.’ four major credit card processing companies that developed the Payment Card Industry Data Security Standards… HYPOCRITES!!!

  122. Comwise Internetwork Sdn Bhd » Blog Archive » Developer function enables phishing at American Express Says:

    [...] specialist Niklas Femerstrand has discovered a hole on theAmerican Express web site that attackers can use to steal, among other things, the login data [...]

  123. Find A Massive Security Hole At American Express? If You’re Not A Cardholder, It Doesn’t Care « waweru.net Says:

    [...] Express… and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer: To my great surprise American Express doesn’t allow anybody to contact them. Instead, [...]

  124. Security Notes « 36 Chambers – The Legendary Journeys: Execution to the max! Says:

    [...] via HNTV (and PaulDotCom Security Weekly, where I heard about John and Larry talk about it first), American Express learns that you need to provide security contact information.  Oh, and secure your pages.  The [...]

  125. Wes Says:

    @Anthony,
    Not sure when you checked Discover Card last but when I visit discover.com I am automatically redirected to https://www.discover.com/

  126. InfoTech IT Development Blog » Blog Archive » How Security Relates to Your Brand Says:

    [...] the problem you need to beware of isn’t just what can be done. It’s also about how bad someone can make your brand look with a post to a website after they have found issues. Depending on your business — it’s [...]

  127. How to Make Customer Service Matter Again Part 2 - Brian Solis Says:

    [...] but did not have time or patience to go through a “technical support jungle?” He blogged not only about the experience, but he also exposed the code and tipped security publications [...]

  128. M Says:

    Just wanted to let you know the right thing.

    To the haters:

    Realize other people besides the author could already know about this and be exploiting it. By him disclosing it publicly not only is the company aware, but so are you. Now you can both take measures to prevent an attack.

Leave a Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>