Amex developers have left several debug utilities available on their web site for anyone on the internet to access. The exposed debug is vulnerable to cross site scripting attacks which could be used to steal cookies. Those cookies can then be used to log into accounts as those users. The guy that found it has been trying to inform Amex since Oct 4th. It's been almost 24 hours since the vulnerability went public and Amex still hasn't done anything about it.
http://qnrq.se/full-disclosure-american-express/
http://seclists.org/fulldisclosure/2011/Oct/284
http://twitter.com/#!/qnrq
No comments:
Post a Comment
Please note all comments are moderated by me before they appear on the site. It may take a day or so for me to get to them. Thanks for your feedback.