American Express say it shut down the webpage that left a portion of its website open for anyone to access in what’s being a called a zero-day security vulnerability, the company says in statement. The security issue was first discovered by developer Niklas Femerstrand, who attempted to reach out to American Express via Twitter in the hopes of being pointed to an email address he could use to send the company further details regarding the issue.
The seemingly confused Twitter rep asked him whether he was an Amex cardholder and offered him a phone number to call, despite his objections to contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead.
According to the blog post (also featured here on Hacker News), Femerstrand discovered that American Express developers had accidentally left an administration panel for website debugging accessible, potentially leaving it open to XSS attacks.
“Hackers could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers,” wrote Femerstrand on his blog post. He also demonstrated a proof-of-concept attack.
What this means is that customer sessions could be hijacked and they could be directed to the American Express website through phishing attacks. The hackers could then harvest their account info, while avoiding having their emails picked up through anti-spam/anti-phishing technologies.
American Express has now responded, stating that the webpage in question is now down:
“We learned this morning that an internal test page created to update promotional offers was temporarily accessible on our US website. The page did not contain CM information such as card number, name or address. The page in question has been taken down. We are not aware of any information at this time that this vulnerability was used for malicious purposes but we are continuing to investigate.”
There are several other concerns that accompany this particular incident, however. For example, if this was a case of pure oversight, why did American Express specifically remove the page from their robots.txt file? That seems to indicate that the company knew the page was open.
In addition, why are Twitter representatives for a financial services company not aware of the proper email address for security researchers to use? Twitter may be primarily a marketing channel, but sheer ignorance to key terms like “security vulnerability” seems inexcusable when, potentially, private customer information is at stake.
And finally, shouldn’t have Femerstrand tried a little harder to find a legitimate way to contact Amex besides using Twitter? That’s the consensus on Hacker News, Reddit, and even, in some cases, on the blog post itself.