0day Full disclosure: American Express
When somebody voluntarily contacts a company and repeatedly mentions words like “security vulnerability” and “hacker” one would think the company would act as quickly as possible. At least all of the companies that I’ve been in touch with regarding security issues have. This time the experience streak changed drastically. To my great surprise American Express doesn’t allow anybody to contact them. Instead, you’re sent through their ten-year-old copyright noticed website’s first line support jungle to be attacked with questions ensuring that you’re a paying customer. If you’re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.
The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.
With the pesky, but relevantly necessary, introduction out of the way: let’s focus on the concrete security disclosure. A little “oops” that one of the developers left behind unprotected breaches many parts of American Express’ security in one hit, one might say that this mistake is a multikill. On https://www.americanexpress.com/us/admin/ you’ll find the following admin panel:
The left column is a list of, what the American Express developers call “heroes”, for the current period. (Most people call them “news”.) The list is downloadable as a CSV file and the contents are completely harmless:
"ID","Status","Type","Description","Path" "10026","Inactive","In Development","NN105 - Brand - JD Power 5 Year Win Midas","/us/heroes/10026-Brand-JDPower5thYearMidas/hero.html" "10025","Inactive","In Development","NN135 - Brand - Vente Privee","/us/heroes/10025-Brand-VentePrivee/hero.html" "10022","Active","Prospect & Cardmember","NM280 - Travel - MIDAS Help Is On the Way","/us/heroes/10022-Travel-HelpIsOnTheWay/hero.html" "10021","Active","Prospect & Cardmember","NM207 - Travel - Travel Pier Sept 2011","/us/heroes/10021-Travel-TravelPierSept2011/hero.html" "10020","Active","Prospect & Cardmember","NL986 - Brand - JD Power 5 Year Win","/us/heroes/10020-Brand-JDPower5thYear/hero.html" "10018","Active","Prospect & Cardmember","NL872 - OPEN - Business Rewards Gold","/us/heroes/10018-OPEN-BusinessRewardsGold/hero.html" "10014","Active","Prospect & Cardmember","Brand - AMEX Facebook Sync","/us/heroes/10014-Brand-FacebookSync/hero.html" "10012","Active","Prospect & Cardmember","Brand - AMEX Foursquare Sync","/us/heroes/10012-Brand-FoursquareSync/hero.html" "10002","Active","Prospect & Cardmember","Mobile - AMEX Mobile Services","/us/heroes/10002-Mobile-MobileServices/hero.html" "10024","Active","Cardmember","NN047 - Brand - Profile and Preferences","/us/heroes/10024-Brand-ProfileandPreferences/hero.html" "10023","Active","Cardmember (PZN Only)","NM612 - OPEN - PZN Business Rewards Gold","/us/heroes/10023-OPEN-PznBusinessRewardsGold/hero.html" "10017","Active","Cardmember (PZN Only)","NL766 - CCSG - MIDAS Platinum Benefits","/us/heroes/10017-CCSG-PlatinumBenefits/hero.html" "10016","Active","Cardmember (PZN Only)","NL767 - OPEN - MIDAS Platinum Benefits","/us/heroes/10016-OPEN-PlatinumBenefits/hero.html" "10019","Inactive","Expired","Brand - 911 Tribute Movement","/us/heroes/10019-Brand-911TributeMovement/hero.html" "10015","Inactive","Expired","Entertainment - USOPEN Total Immersion","/us/heroes/10015-Entertainment-USOPENTotalImmersion/hero.html" "10013","Inactive","Expired","Brand - AMEX Facebook Sync","/us/heroes/10013-Brand-FacebookSync/hero.html" "10011","Inactive","Expired","OPEN - Big Break","/us/heroes/10011-Open-SmallBusiness/hero.html" "10010","Inactive","Expired","Rewards-MillionPointContest","/us/heroes/10010-Rewards-MillionPointContest/hero.html" "10009","Inactive","Expired","Entertainment - US OPEN Pre-Sale","/us/heroes/10009-Entertainment-USOPENPreSale/hero.html" "10008","Inactive","Expired","Travel - Get Your Feet Wet","/us/heroes/10008-Travel-GetYourFeetWet/hero.html" "10007","Inactive","Expired","Membership Rewards - Social Currency","/us/heroes/10007-Rewards-SocialCurrency/hero.html" "10006","Inactive","Expired","Mobile - Million Downloads","/us/heroes/10006-Mobile-MillionDownloads/hero.html" "10005","Inactive","Expired","Brand - US Homepage Launch","/us/heroes/10005-Brand-USHomepageLaunch/hero.html" "10003","Inactive","Expired","Brand - AMEX Members Project","/us/heroes/10003-Brand-MembersProject/hero.html" "10004","Inactive","Expired","Membership Rewards - Social Currency","/us/heroes/10004-Rewards-SocialCurrency/hero.html" "10001","Inactive","Expired","NPL - Zync Homepage Promo","/us/heroes/10001-NPL-Zync/hero.html" "20001","Inactive","Expired","Brand - JD Power & Associates 2010 (Prospect)","/us/heroes/20001-Brand-JDPower2010/hero.html" "30001","Inactive","Expired","Brand - JD Power & Associates 2010 (Cardmember)","/us/heroes/30001-Brand-JDPower2010/hero.html" "99001","Inactive","Expired","Animation Prototype","/us/heroes/99001-FPO-PowerOfMembership/hero.html"
The right column of the admin panel consists of what the developers call “cardmember cookies” and options for setting them with various parameters. The cookies are then used for viewing the heroes with various user permissions for debugging. A JavaScript comment gives an idea of how such an important thing as the admin debugging could be left wide open:
/* don't ask me how exactly, but this gets the main domain froma hostname; */
Adobe DigitalPulse v3 was also left behind fully accessible by anyone:
I must say their debug window impressed me. It’s a fancy little jQuery using div that I’m very sure that the developers enjoy using:
Understandably developers get sloppy around security implementations in debug features. Ironically, this becomes a direct threat in a case where a company’s developers don’t protect their debugging tools from the public. The debugging tool is vulnerable to XSS and it quickly becomes an issue when the debugging tools are called through unprotected GET parameters. Proof of concept (read warning below): https://www.americanexpress.com/?debug=true&heroOverride=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%68%61%78%27%29%3c%2f%73%63%72%69%70%74%3e
The debug window refreshes itself so injected code that doesn’t break the loop will execute infinitely. An attacker could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers.
Let’s hope American Express resolve these issues ASAP :-)
October 5th, 2011 at 10:27 pm
Nice! :-)
fapfapfapfapfapfap =)
October 6th, 2011 at 9:48 am
OUCH :]
October 6th, 2011 at 9:54 am
w00t t00w
October 6th, 2011 at 10:07 am
OMG :O !!!
October 6th, 2011 at 10:11 am
wow
October 6th, 2011 at 10:13 am
Fail =)))))
October 6th, 2011 at 10:52 am
The financial crises hit AMEX, so they cut security? :)
But HEY, at least SSL!
October 6th, 2011 at 11:00 am
They failed so hard.
October 6th, 2011 at 11:35 am
Surely this is just a honeypot?
October 6th, 2011 at 11:41 am
Unbelievable, After 15 hours still fully opened 4 ATTACK.. Very Sloppy.
Great find.
October 6th, 2011 at 11:58 am
HAHAHAHA! I love you :-D Stupid, stupid, stupid AmEx :-p
October 6th, 2011 at 12:18 pm
Great job. Wonder if they’ll take notice now?
October 6th, 2011 at 12:27 pm
Still live as of 8:30am EST Oct 6. Morons.
October 6th, 2011 at 12:30 pm
I’m sorry, but you failed to explain why calling the number they provided was unacceptable. Also, the fact that the person on the other end of the Twitter conversation was willing to DM you, and you seemingly refused, claiming here that you only wish to communicate using a “modern protocol” (as if e-mail is somehow more modern than Twitter) is very confusing and not well motivated by your article. To be honest, it just sounds like you wanted to write a nasty article: congratulations.
October 6th, 2011 at 12:53 pm
Would you be able to post an update if/when you get any update on this? i would suspect something this insane might even get a cease and decist order if they cant fix it right away…
October 6th, 2011 at 1:02 pm
it works!
October 6th, 2011 at 1:15 pm
have you tried this ?
Technical Contact:
American Express / AEDR
American Express / AEDR
18850 N 56th Street IPC AZ-36-02-13
Phoenix, AZ 85054
US
Phone: +1 602-537-0000
Email: amexdns@aexp.com
or Email: gtld@aexp.com
October 6th, 2011 at 1:20 pm
[...] Details : http://qnrq.se/full-disclosure-american-express/ [...]
October 6th, 2011 at 1:26 pm
It’s amazing to follow the @AskAmex tweets and see how dangerous it is to put your company’s people-facing power in the hands of low-level people who just can’t seem to understand the importance of some issues.
It’s both a training and policy problem.
Just ridiculous that the page is still live.
October 6th, 2011 at 1:39 pm
Also, SSL is not technically enforced. It only suggested after the page loads. PCI counsel member, suffering from a PCI violation? PCI is tough. :)
October 6th, 2011 at 1:40 pm
The sweet thing: they knew this was open. They even took it out of their robots.txt :)
https://www.americanexpress.com/robots.txt
User-agent: *
Disallow: /us/admin/
Disallow: /us/heroes/
Allow:
October 6th, 2011 at 1:48 pm
I can’t think of a better company for something like this to happen to! Screw AMEX!
October 6th, 2011 at 1:52 pm
Sorry, but it’s just not that hard to report the issue to American Express. I called American Express in Australia, was transferred through to the US, and had the issue escalated within 20 minutes.
Details here: http://news.ycombinator.com/item?id=3079627.
October 6th, 2011 at 1:53 pm
Sorry, that link should have been: http://news.ycombinator.com/item?id=3080080.
October 6th, 2011 at 2:45 pm
The comment at http://news.ycombinator.com/item?id=3080192 says it well. Quoting here:
“I for one think it’s a seriously unrealistic expectation to think that AMEX or insert large corp here will handle security vulnerabilities over twitter.
It’s the equivalent of telling a teller or their doorman about it.”
October 6th, 2011 at 2:46 pm
Erm, I might be canceling my card
October 6th, 2011 at 2:47 pm
Did it go offline now?
October 6th, 2011 at 2:49 pm
Escalation: 1 email
Priceless: Vul still there.
October 6th, 2011 at 2:50 pm
“Just to clarify: I have vulnerabilities.” – I would generally also not talk to people who are unable to express themselves. Especially not regarding security.
October 6th, 2011 at 2:57 pm
@pepper:
>> I would generally also not talk to people who are unable to express themselves.
>> Especially not regarding security.
You wouldn’t talk to people that live in countries where English isn’t the main spoken language? That’s sad. :-)
October 6th, 2011 at 2:58 pm
This has been resolved. Amex needs another route for handling issues like this as articles on Hackernews are very efficient :p
October 6th, 2011 at 3:18 pm
[...] Source *{margin:0; padding:0;} ul{ list-style:none;} #socialbuttonnav {width:90%; overflow:hidden;margin:0 auto;} #socialbuttonnav li{background:none;overflow:hidden;width:65px; height:80px; line-height:30px; margin-right:2px; float:left; text-align:center;} #fb { text-align:center;border:none; } #fb iframe {text-align: center;float:left; } [...]
October 6th, 2011 at 4:02 pm
[...] the problem you need to beware of isn’t just what can be done. It’s also about how bad someone can make your brand look with a post to a website after they have found issues. Depending on your business — it’s [...]
October 6th, 2011 at 4:14 pm
Shame on you. You couldn’t try the email mentioned on the Amex site (at least that’s not mentioned anywhere) and after a few hours of waiting, you released a tutorial for an exploit. The ones who are damaged most by this are the customers, not Amex. And seriously, twitter as a contact form for a security hole? That’s ridiculous
October 6th, 2011 at 4:22 pm
@Hilbert: What email? The one that requires you to be a cardmember to use? I’m not a customer, and they only offer email contact to those. I didn’t use Twitter as a contact form for a security hole, I used Twitter asking for where to submit the info. They couldn’t provide me with such a place.
Shame on me.
October 6th, 2011 at 4:43 pm
[...] [...]
October 6th, 2011 at 4:50 pm
[...] bei fefe gefunden: qnrq» Blog Archive » 0day Full disclosure: American Express Kein Schenkelklopfer, aber ich verspürte doch einige mal den Reflex mit der flachen Hand vor die [...]
October 6th, 2011 at 5:25 pm
This is kind of lame. You sound like a real tool. First, you demand to talk to a company that you aren’t paying in the medium of YOUR choice as opposed to the numerous methods they provided for you, and then post a hack that could directly harm people. I’m not 100% sure about the legality of posting something like this, but my uncle will, so I’ll be sure to forward it to him in the amex legal department. I do know damn well that it isn’t very ethical. I hope you’re proud of yourself.
October 6th, 2011 at 5:34 pm
@Niklas
yes! shame on you !
is a WHOIS query too complex to do ? that’s not responsible security that’s terrorism :) I understand your excitement for this vulnerability, and all the hits on your blog because of that but … live with the critics at least :)
(also, why not implement a normal captcha ? ‘copy this password’ is kinda lame to be honest..)
October 6th, 2011 at 5:39 pm
@illobo
>> live with the critics at least :)
Oh, I do! :-) If you think an email to their domain admin would’ve changed anything at this rate, you haven’t been around much.
Thanks for the terrorist compliment!
October 6th, 2011 at 5:44 pm
I think he did the right thing. Why is the shoe on him? Why should he pay money for a phone call? Its not like he is getting anything from helping them. Well i guess he did get something. A bad mood after dealing with them! :)
October 6th, 2011 at 5:45 pm
[...] Quelle: qnrq.se [...]
October 6th, 2011 at 6:01 pm
[...] Read more here: qnrq» Blog Archive » 0day Full disclosure: American Express [...]
October 6th, 2011 at 6:08 pm
Interesting story. The refusal of companies to provide an email address is generally seen as a cost saving measure. These email addresses can be cluttered with spam and other nonsense email.
Having said that, they will spend money to respond to tweets so why not email?
October 6th, 2011 at 6:19 pm
@Niklas Femerstrand Hey man good for you. F00k the h8trs. Responsible companies are supposed to have an easy-to-get-to submit portal or contact information for vulnerabilities. The fact that Amex does not, is fail, and hopefully this incident will make a portal/contact info happen…THEREFORE you effectively disclosed a vulnerability AND potentially may provoke a change in AMex’s accepting methods for vulnerabilities. It is a #FD #win a #whitehatwin #securitywin
Don’t even respond to the n00bs who don’t get it :D ++
October 6th, 2011 at 6:22 pm
What happened when you emailed the following email aliases?
security@americanexpress.com
abuse@americanexpress.com
noc@americanexpress.com
sales@americanexpress.com
support@americanexpress.com
-Yagbad
October 6th, 2011 at 6:38 pm
Anyone try using one of the cookies listed there to see what session it gave access to? I think there was a bit more to the exposure than was actually mentioned here.
October 6th, 2011 at 6:49 pm
@Niklas see what Yagbad says too .. imho you should have tried at least to contact em via e-mail first, then start your twitter sheningans …
I still do believe you’ll get an answer from them, I _assume_ they should have at least a security officer in their organization… maybe I’m too optimistic but for feck’s sake it’s amex !
October 6th, 2011 at 7:00 pm
Wow, I am amazed by all the hate on Niklas. He found a gaping hole that’s easy to exploit. Not some obscure method to circumvent security. He’s trying to contact a non-paying corporation, as a favor to them and especially their customers.
It is almost hilarious that an attempt to privately disclose a 0day attracts outrage along the lines of “he didn’t try hard enough!”. Just 10 years ago “white hatting” wasn’t as widespread as it is today, and 0days were income opportunities for sec-industry and criminals alike. My point is – for the dim-witted – that we should thank all people who provide these unpaid contributions to increasing security.
October 6th, 2011 at 7:07 pm
[...] jednak Niklas Femerstrand zdecydował się na full disclosure i opublikowanie szczegółów błędu na swoim blogu, zapytał [...]
October 6th, 2011 at 7:42 pm
I agree: this going public in a frenzy was neither professional nor in any way reasonable!
Do you know how many nutz are out there? If you want to talk to a 3 piece suit, dont bump him up in a surfers outfit!
And yes: the vulnerability was not yet proven as such, did he hope some sql-inject script kiddie would pick it up and drop the entire userbase on some server?? If so: shame-lame-insane…get a treatment!
October 6th, 2011 at 7:53 pm
@rura:
There was never any risk of an SQL-injection in what I reported.
Criticize my actions all you want, but take your mental illness accusations elsewhere. Thanks.
October 6th, 2011 at 7:57 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 7:57 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:01 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead. Category : [...]
October 6th, 2011 at 8:02 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:09 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:10 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:11 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:15 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:21 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead. TechCrunch Tech NewsAmerican, Closed, Express, vulnerability, website, ZeroDay [...]
October 6th, 2011 at 8:22 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:25 pm
[...] fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:26 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:32 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:38 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead.According to the blog post (also featured here on Hacker News), Femerstrand discovered that [...]
October 6th, 2011 at 8:45 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:46 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 8:48 pm
[...] Originally posted here: qnrq» Blog Archive » 0day Full disclosure: American Express [...]
October 6th, 2011 at 9:00 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 9:02 pm
[...] the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. [...]
October 6th, 2011 at 9:05 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 9:10 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead. If you enjoyed this article, please consider sharing [...]
October 6th, 2011 at 9:13 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 9:30 pm
[...] original post here: qnrq» Blog Archive » 0day Full disclosure: American Express Tags: aber-ich, archive, einige-mal, fefe-gefunden, mit-der, reflex, rte-doch, schenkelklopfer, [...]
October 6th, 2011 at 9:53 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 10:04 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 10:10 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 10:33 pm
[...] See the rest here: qnrq» Blog Archive » 0day Full disclosure: American Express [...]
October 6th, 2011 at 10:40 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 10:49 pm
Staring with, “Should I inform you publicly?” shows that you were excited to have found a vulnerability and wanted to share this publicly. If you actually cared about the issue then you wouldn’t have posted this.
I’ll never understand the kids like you that think the best solution is to go public with something that could potentially harm lots of people. Pick up the phone.
October 6th, 2011 at 11:04 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 6th, 2011 at 11:17 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 12:01 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 1:11 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 2:31 am
Niklas,
Screw the ‘you unethical monster’ crowd. Big company’s should be a little more flexible with all the hacking flying around.
I’m just sad someone without all these silly ‘morals’ didn’t jump in and clear my debt for me =/
Keep on exposing those 0-days!
October 7th, 2011 at 2:47 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 3:11 am
30 seconds of google-fu exposes multiple points of contact at AMEX. Have you reported/disclosed a vulnerability before? While the outsourcing of customer support is the root cause of the stupidity, I cannot help to think that maybe a tiny bit of additional work would have prevented it.
October 7th, 2011 at 3:31 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 4:19 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 5:02 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 5:05 am
[...] [...]
October 7th, 2011 at 5:51 am
+1
nice finding.
and regarding all those “haters who gonna hate”: the old story, killing the messenger … it can be frustrating, trying to get someone in charge to ack a problem. i stick to the open source dogma: release eraly, release often ;-)
October 7th, 2011 at 5:57 am
Sicherheit, was ist das……
Oh man, da kommen mal wieder Sicherheitslücken zu Tage, die echt schmerzen. • Hetzner: Soweit wir es derzeit rekonstruieren können, war es dem Angreifer möglich, auf interne Kundendaten der Hetzner Online Administrationssysteme zuzugreifen. …
October 7th, 2011 at 6:58 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 7:00 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 7:04 am
I think it was ok to spread this information in public!
October 7th, 2011 at 7:07 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 7:12 am
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 7:52 am
Pay no attention to the “elites”, you did the right thing. Many company’s do not offer a way to reach them for technical issues with a site and regulations and scripts keep the employees in a state of not being able to deal with the “unforeseen” events which can occur.
October 7th, 2011 at 8:27 am
The same in Austria, security@xxxxbank.xx, blocks hints about vulnerabilities on ELBA-accounting due – virus-protection…
If “smart” or “intelligent” or something like these buzz-words are assumed to be simply imbecillity (“AI=Artificial Imbecillity”) that hits it…
belef
October 7th, 2011 at 9:19 am
@Jay Freeman (saurik):
You know that you can DM only someone who is FOLLOWING YOU, do you?
October 7th, 2011 at 10:08 am
IMO you did the right thing. If they have a vulnerability and you can’t contact them with a reasonable amount of work and resources than that’s their loss. Full disclosure is the only thing that reliable helps.
October 7th, 2011 at 12:46 pm
[...] cookies’. Ook de Adobe DigitalPulse v3-debugger was publiekelijk toegankelijk, ontdekte ontwikkelaar Niklas [...]
October 7th, 2011 at 1:09 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 2:24 pm
[...] H Security Posted on October 7, 2011 by YPNo Comments Security specialist Niklas Femerstrand has discovered a hole on the American Express web site that attackers can use to steal, among other things, the login [...]
October 7th, 2011 at 4:09 pm
They really could have prevented this, which is what you are pointing out here I guess.
October 7th, 2011 at 4:46 pm
[...] Secure Development by Carsten — Leave a comment October 7, 2011 Lately I’ve seen several cases where people openly discuss discovered web vulnerabilities in big corporations’ web [...]
October 7th, 2011 at 5:18 pm
[...] I’ve seen several cases where people openly discuss discovered web vulnerabilities in big corporations’ web [...]
October 7th, 2011 at 5:31 pm
[...] went public with his findings on Wednesday – posting what appears to be a harmless proof-of-concept [...]
October 7th, 2011 at 5:51 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 7th, 2011 at 6:22 pm
[...] AMEX hat ein 0day und schert sich nen dreck: admin/debug interface auf website ist offen [...]
October 7th, 2011 at 9:56 pm
[...] contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog [...]
October 8th, 2011 at 7:59 am
[...] went public with his findings on Wednesday – posting what appears to be a harmless proof-of-concept [...]
October 10th, 2011 at 8:30 am
Nicely coined (if original) “first line support jungle ”
And you are correct, most of such companies believe focusing more on customers trying to contact the,.
I have seen a company which requires the customer to log-in in order to contact or query about anything !
BTW posting on your blog too requires one to give an email address.. WHY ?
October 10th, 2011 at 8:49 am
@Some1:
>> BTW posting on your blog too requires one to give an email address.. WHY ?
I’m not sure, it seems to be some WordPress standard. I find it annoying as hell myself, I’ll look into disabling it when I get the time to look into it. If you know how to from the top of your head, please let me know :-)
Update: It’s removed now.
October 10th, 2011 at 9:29 am
[...] scoperto la falla ha applicato la Responsable Disclosure, malgrado abbia davvero dovuto faticare (a sua detta) per entrare in contatto con un responsabile del portale (della serie: a meno che non sei [...]
October 11th, 2011 at 1:02 am
[...] Source: http://qnrq.se/full-disclosure-american-express/ [...]
October 11th, 2011 at 10:47 am
[...] опубликовал свое "открытие" в среду – в сообщении с POC иллюстрацией [...]
October 11th, 2011 at 4:30 pm
[...] Saiba Mais: [1] 0-Day Full Disclosure American Express http://qnrq.se/full-disclosure-american-express/ [...]
October 11th, 2011 at 11:16 pm
If you think AmEx’s website is bad, take a look at Discover Card’s. No SSL on the landing page (and possibly others behind the scenes once you log in).
Oh, and if you need to re-register a replacement card on their site, they are kind enough to email you your existing password as a friendly reminder in CLEARTEXT. Talk about major FAIL on the part of Discover Financial Services, a bank and one of the U.S.’ four major credit card processing companies that developed the Payment Card Industry Data Security Standards… HYPOCRITES!!!
October 12th, 2011 at 1:02 am
[...] specialist Niklas Femerstrand has discovered a hole on theAmerican Express web site that attackers can use to steal, among other things, the login data [...]
October 12th, 2011 at 1:38 am
[...] Express… and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer: To my great surprise American Express doesn’t allow anybody to contact them. Instead, [...]
October 21st, 2011 at 4:05 pm
[...] via HNTV (and PaulDotCom Security Weekly, where I heard about John and Larry talk about it first), American Express learns that you need to provide security contact information. Oh, and secure your pages. The [...]
October 26th, 2011 at 8:59 pm
@Anthony,
Not sure when you checked Discover Card last but when I visit discover.com I am automatically redirected to https://www.discover.com/…
October 27th, 2011 at 9:23 pm
[...] the problem you need to beware of isn’t just what can be done. It’s also about how bad someone can make your brand look with a post to a website after they have found issues. Depending on your business — it’s [...]