Typing this up in real time ...<p>I called American Express Australia to report the defect & I was transferred through to the American call centre.<p>The CSR to whom I spoke transferred me through to a different department, after I explained that I didn't have an account. She did ask whether "I received an email" which I assume was some sort of inquiry as to whether I had been phished.<p>I then spoke to an online services rep., who after asking for my card number, listened to my report. She then put me on hold.<p>(The call had taken 10 minutes by this time).<p>After a few more minutes on hold, the CSR came back on the line, asked me to repeat the information, and confirmed for the umpteenth time that I don't have an American Express card. I explained that it wasn't my find, but that it had been published online & so was by now _very_ public.<p>(15 minutes by this time, most of that on hold listening to advertising for American Express, including some ironic praise for their website).<p>CSR comes back on the line. She's spoken to her 'technical team' who assure me that there's nothing insecure going on because it's all over HTTPS. So I politely walked her through the process - visit the page, add ?debug to the URL, click the admin link & behold: lots of should-be-secure stuff.<p>At this point she thanks me profusely, & asks that I hold while she speaks to her supervisor. Back to the American Express ads ...<p>(20 minutes at this point).<p>The CSR came back on the line, thanked me again, & said that her supervisor had taken a screenshot of the issue & escalated it. Job done.<p>So, yeah, I can totally understand the frustration experienced by the guy who discovered the vulnerability. But it certainly wasn't impossible for me to report the issue, & I'm in Australia.
Some years ago when I was doing more stuff in spam and phishing I came across a phishing site for a small US bank. The list of phished card details was available through the interface and it was clear that there were some real people local to the bank who had given their name, address, card number, PIN, SSN, ... everything.<p>I decided to contact the bank. After filling in the form for contact on their web site giving all the details of the site, I did get an email back and eventually I got someone on the phone. This person (who said they were in charge of bank computer security) thanked me and said that they were going to try to deal with it (I had also contacted the school district whose computer was hosting the site to get it shut down).<p>I then told this person that there were real account details on the phisher site and would they like the list of people's account numbers so they could inform their customer/shut down their debit card etc. The bank officer replied, "No." As far as they were concerned the people who were that stupid got what they deserved.<p>I was flabbergasted, but couldn't do much to make the bank do something.<p>So, using the names and addresses of the people from the phishing site I managed to track a couple of them down (they were small businesses whose business addresses were available on the web) and phoned them up so they would be alerted. They took it pretty well considering that some weird British guy was calling them from France to tell them their US bank account details were at risk.
They knew this was open. They even took it out of their robots.txt :)<p><a href="https://www.americanexpress.com/robots.txt" rel="nofollow">https://www.americanexpress.com/robots.txt</a><p>User-agent: *
Disallow: /us/admin/
Disallow: /us/heroes/
Allow:
The first three Twitter messages by the vulnerability reporter are:<p>“@AmericanExpress Who can I contact regarding security vulnerabilities in your system? I'm not available through phone, physical mail or fax”<p>“@AmericanExpress Just to clarify: I have vulnerabilities. This should be "urgent", so no technical support jungle please :-)”<p>“@AmericanExpress I've been trying to get in touch with AMEX regarding security vulnerabilities in your system for a while. Who do I speak to?”<p>I think this is not ideally expressive language when you talk to a lay-person representative on Twitter. I believe a better result could be achieved with simpler and clearer language:<p>“@AmericanExpress I have discovered a serious security issue in your web system (money can be stolen). Please help me report it to someone responsible.”
Here's something I learned from AMEX last week ... if one of your cards gets compromised and you cancel the card, AMEX will continue to allow charges to flow through that old "canceled" number to your newly issued number if those charges are coming from a "trusted recurring entity". I discovered that charges were continuing to flow through a number that I'd canceled due to it being compromised even though I thought it'd been nullified. AMEX explained that their policy is to allow these charges to continue, and it took a number of months before I caught the problem because the charge was coming from a business I continued to have business with. Apparently the person that stole my number had setup a recurring charge with this business as well. To their credit, AMEX removed all of these charges even though they spanned a number of months ... but it caught me completely by surprise that a number I though was canceled was still allowing charges to flow through it.
The author should have contacted the email addresses given in the DNS WHOIS (amexdns@aexp.com, gtld@aexp.com) and the obvious aliases (security@...).<p>However I can understand and sympathize, it's enraging how hard it is to get into contact with a person of any kind at certain companies (KLM/Air France, I'm looking at you). I understand they want to save money, but if you run a business, you have to be contactable in one way or another. And snail mail as the last option really doesn't cut it in the 21st century.
Wow. All you need to do to activate this is append ?debug to the main American Express URL: <a href="https://www.americanexpress.com/?debug" rel="nofollow">https://www.americanexpress.com/?debug</a>
When a major company, especially a financial services company, is subject to public security vulnerability disclosures like this, it should really make other companies stand up and take notice. There is absolutely no excuse for these kinds of vulnerabilities to exist on a production system. When Citibank was recently hacked by simply changing the account number in URLs, that should have been enough for other financial institutions to do an internal security audit to make sure they weren't susceptible to anything similar. Don't wait until it's too late. For the sake of their customers I hope this is resolved swiftly.
// don't ask me how exactly, but this gets the main domain froma hostname;<p>This explains a lot. What I don't understand though, is why this guy, who doesn't understand basic regular expressions (the expression is also wrong), is working on the American Express website.
Next time, I would try reaching their Public Relations group for help. PR people are almost always accessible by name, phone, and email -- they're usually on the bottom of every press release that goes out. They also have good internal channels to every part of the company and know who to contact.<p>Googling for "american express public relations" turns up a page with three NY-based vice presidents, with direct lines and email addresses listed: <a href="http://about.americanexpress.com/news/media_contacts.aspx" rel="nofollow">http://about.americanexpress.com/news/media_contacts.aspx</a>
Unrelated, it looks like someone at AmEx finally improved their crazy, broken password system at least, this used to be the password requirement:<p><i>"Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, </i>, $, @) and be different from your User ID."*<p>Now it's this:<p><i>"Your Password must be different from your User ID, must contain 8 to 20 characters, including one letter and number, may include the following characters: %,&, _, ?, #, =, -, cannot have any spaces and will not be case sensitive."</i>
Can someone explain the origin or meaning of the word "hero" to describe primary marketing/call to action sections? I saw it first in the twitter bootstrap code [1], and now here.<p>[1] view-source: <a href="http://twitter.github.com/bootstrap/examples/hero.html" rel="nofollow">http://twitter.github.com/bootstrap/examples/hero.html</a>
This is crazy... when you go to the admin panel <a href="https://www.americanexpress.com/us/admin/" rel="nofollow">https://www.americanexpress.com/us/admin/</a> you actually get access to user cookies (session ids) which probably allow you to hijack their session (haven't tried it in case it's going to be traced back...)
Surely a DM message to the AskAmex account, with some actual details written in clear English, not jargon or "hacker lingo stuff" would have been more suitable? Or asking someone on here like Thomas to make a phone call?<p>I understand the argument between full disclosure and responsible disclosure, but if the author could have DM'd it on Twitter. Or posted it on Twitter wholesale, since its now public anyway.
Does going to the url <a href="https://www.americanexpress.com/us/admin/" rel="nofollow">https://www.americanexpress.com/us/admin/</a> constitute "computer hacking"? It's not protected in any way, shape or form.
For the longest time, American Express had a password system that only allowed 8 alphanumeric characters and was case-INSENSITIVE.<p>Moreover, sometimes the AJAX used to submit your payments did not activate, and often, no feedback at all was given if a payment did go through.<p>This kind of vulnerability seems par for course for their tech team.
FWIW, on his homepage there's also a nice small vulnerability in reCAPTCHA. The Google developer who wrote the buggy code actually had to do a hack to shut up PHP warnings about it. Duuuh...
I don't consider telephone contact for security vulnerabilities to be that unreasonable. They should support PGP encrypted email, yes, and have a page about how to report incidents, issue tracking numbers, etc., but it took me ~3 minutes on the phone to get the right info for Amex corporate security.
Unfortunately, I've had this kind of difficulty far too often when reaching out to large companies with disclosures. Most recently, the only thing that worked was blasting off an email to all the internal people I could find through google: the CTO, vp of engineering, and head of support were on the list, as were a few lower level employees. The lower level got back to me right away, eager to cc the CTO on their response =)
I empathize with the developer, but this disclosure is wildly irresponsible.<p>It's a pain contacting live representatives at any large corporation. When you're dealing with the financial industry, you should grit your teeth and find a way to do it anyway. If you have no choice, publish a warning about the exploit, but don't release all the details without a long warning period.
So 90 comments and no mention of "didn't he try emailing security@americanexpress.com". That would be my first step, not harassing a marketing account on Twitter. Marketing campaigns are often run by third-party companies. Whoever gets security@ emails, not so much.<p>If you want to inflate your ego, post to full-disclosure; don't annoy people on Twitter and blog about it.
Ugh, it would just be easier to sell the vuln than try to inform one of these clueless dinosaur companies about it. I know why companies like Amex build these giant fortresses around their communications, but they should be more cognizant of the damage that can cause.
Wow. This is a huge vulnerability. I hope they fix this very soon. The cognitive dissonance going on with that twitter conversation makes me think he was talking to a bot. Also I love the "These cookies are secure" bit on the admin interface.
I don't think this is anything dangerous. All the data is static, its just some sort of demo. It doesn't matter who goes to the page, they will always get the same data, it never changes. I'm not a customer so can't try once logged in. If I was to wildly speculate, I'd say honeypot.