172 comments

[ 4.3 ms ] story [ 212 ms ] thread
Oh wow, unprotected admin tools and an XSS vulnerability on their main homepage that is used for customer logins. That's pretty bad.
The utter lack of a mechanism to report bugs, particularly security bugs, seems far worse.

I've encountered this problem frequently when interacting with various organizations. The pervasive availability of bug-tracking systems and/or bug-reporting email addresses makes the absence of one quite conspicuous.

I've many seen organizations applying spam filtering on their security@org.org address, leading to tons of reports ending up in spam boxes without being noticed by the company. The researcher doesn't receive any feedback on his responsible disclosure and multiple reminders, and finally submits the vulnerability to a full disclosure list.
Even worse: some businesses apply spam filtering to their abuse@ address, which thus rejects reports of spam as...spam.
(comment deleted)
It's amazing that such a huge oversight can be made. I hope American Express doesn't try to sue this guy.
Financial services are, of course, among the most cautious of organisations - which makes this kind of glaring mistake all the more worrying. Astonishing.
Surely this is just a honeypot?
It could have been. Except, you can't leave your valuables on the street and then arrest someone for breaking and entering when they're stolen!
Except, you can't leave your valuables on the street and then arrest someone for breaking and entering when they're stolen!

Agreed, that would be theft:

Theft by finding occurs when someone who chances upon an object which seems abandoned takes possession of the object but fails to take steps to establish whether the object is abandoned and not merely lost or unattended

http://en.wikipedia.org/wiki/Theft_by_finding

The admin page is completely unprotected, you don't even get a notice about the system being private. They can't sue him, they wouldn't have a leg to stand on.

To me it looks like somebody left a "DEBUG = True" somewhere on the site and went to the beach :)

They can't sue him, they wouldn't have a leg to stand on.

Why not? I've been clicking around various US laws and have yet to see any mention about a login screen or "Go away, private!" messages being required before it counts as unauthorized access:

http://www.irongeek.com/i.php?page=computerlaws/state-hackin...

The question is, is the disclosure of this (technically public) resource location litigation material?

IANAL, but I can definitely see both sides of this debate being highly defensible.

In the US the first time you sue someone can be for any reason. It's only considered abusive if you do it several times without reason.
Indeed. Perhaps it would have been better to publish the exploit anonymously. It's definitely not too useful in terms of street cred -- while we all appreciate discovery of security bugs, it takes no skill and is a common script-kiddie method to just try /admin, etc., after URLs, so there is not much value professionally in having your real name tied to it, but significant risk and harassment issues come into play, especially in a big thing like this where the ire of angry and/or fleeced customers can easily be manipulated and misdirected.
(comment deleted)
Hence the bug report. :) Misconfiguration, most likely.
"Hence the bug report."

The story was posted an HOUR ago! They're a bank! Imagine the number of criminals swarming over their website by now. You'd think they'd react quicker. Or maybe the bosses there aren't aware of the implications of this disclosure.

They've had similar password stupidities in the past as well, 6char alphanumeric is secure according to amex.

I'm presently having an issue with one of their internal departments who doesn't know how to set up SSH keys rather than some third-party FTPS over HTTPS software using passwords.

The password's nothing amazing but at least they have SSL going on. I'm trying to figure out how to teach them SSH without teaching them how to hurt themselves at the same time.

When a major company, especially a financial services company, is subject to public security vulnerability disclosures like this, it should really make other companies stand up and take notice. There is absolutely no excuse for these kinds of vulnerabilities to exist on a production system. When Citibank was recently hacked by simply changing the account number in URLs, that should have been enough for other financial institutions to do an internal security audit to make sure they weren't susceptible to anything similar. Don't wait until it's too late. For the sake of their customers I hope this is resolved swiftly.
Not to mention that that's a trivial security mistake. ActiveRecord makes it very easy to just "read" the id, and ignore whether or not the user actually has access to it, or just guessed the id. Any operation using an id needs to be checking if you actually have rights to the object. Yes it requires an extra SELECT before you UPDATE or an extra condition (my ORM doesn't do that), but it's secure.
It seems the bigger the company is the more irresponsible they become. In UK in the bank I use, you can activate protection of your debit card / current account (usage analysis, higher insurance), but to do that you need to register with Experian (credit rating company). The process for that is: put your recent bill, bank statement and photocopy of ID in an envelope and post it to them via normal mail.

I decided to ignore that great offer and keep my account secure in traditional way. Apparently ignorance with regards to the internet sites is not what causes big companies to act in stupid ways. It's the whole mindset...

I'm pretty sure normal mail is generally quite secure. Sure, there's very little barrier to someone opening your envelope, but perhaps because the ratio of sensitive stuff vs. letters to grandma is so low, I'm not aware of it ever happening much.
There's one big difference in those letters though. The letter to grandma will be addressed to a person. The letter with documents for Experian will be addressed to... Experian, which is a known company dealing with money and personal data.
True, but the sheer volume of mail makes sorting through it a formidable task. The US Postal Service has sorting capacity like you wouldn't believe.

A criminal could in theory target Experian's mailing address, so perhaps it simply comes down to whether you believe they can secure their property.

Surely a DM message to the AskAmex account, with some actual details written in clear English, not jargon or "hacker lingo stuff" would have been more suitable? Or asking someone on here like Thomas to make a phone call?

I understand the argument between full disclosure and responsible disclosure, but if the author could have DM'd it on Twitter. Or posted it on Twitter wholesale, since its now public anyway.

The operator of the AskAmex account seemed completely clueless on security-related matters. I doubt saying, "visit this URL: https://www.americanexpress.com/?debug=true&heroOverride... would have registered as a problem for her.

AMEX made it incredibly difficult for this guy to report the issue to anyone who had the slightest clue as to its severity. Banging his head against the wall until someone finally clued in would not have fixed that communication issue. Full disclosure just might.

All the more reason to make as clear and straightforward a declaration as possible. Not "I have vulnerabilities", but a DM saying "American Express is leaking customer information at this URL and it is imperative this is reported to your security department." It's their problem to escalate if they don't understand, but you have to give enough information to make escalation possible.
Agreed Robin - it's likely that the person operating the twitter account for most huge companies has minimal, if any, interaction with IT/security and its lingo.

Speak plainly people.

How much more plain than "Who can I contact regarding security vulnerabilities in your system" can you get? When she asked what kind of vulnerabilities, would saying, "unsecured admin panel and xss allowing for session jacking and spoofing" really have been more meaningful than what he said? Even saying "unsecured admin panel" on twitter would have sent people scrambling for it. He was attempting responsible disclosure before he turned to full disclosure.
Right.

All you guys (not targeted specifically at you here) that say 'He tried it in a clear way': Call one of the lesser technical inclined people in your family/among your friends. Tell them you've just read about a security vulnerability and wonder if they could describe what that is to one (possibly less technical inclined) people in their family/among their friends.

That's essentially what you're looking at if you throw these words at a corporate marketing (with some links to support) drone that needs to fill in his/her supervisors to make anything special happen.

I empathize with the developer, but this disclosure is wildly irresponsible.

It's a pain contacting live representatives at any large corporation. When you're dealing with the financial industry, you should grit your teeth and find a way to do it anyway. If you have no choice, publish a warning about the exploit, but don't release all the details without a long warning period.

FYI, this is one of the few good uses for LinkedIn. If you need to access the engineering department, the ordinary external avenues are usually going to fall flat, and that only becomes increasingly true as the target organization expands. However, hopping on LinkedIn you can find an engineer or someone who at least has engineering buddies within AmEx and similarly monolithic corporations in seconds.
As an Amex cardholder, I can attest to the fact that getting in touch with their service reps, should you happen to not have your card on hand, is a pain in the ass. They have many obstacles in place to prevent talking to non-members.
I agree, but this is a complete fail by AmEx. They don't even have a way to report or check on phishing emails from their contact page. THAT would have been the way I would have tried to get in contact with them to help them out. Hopefully, if nothing else, they'll get some sort of scam alert response.

Note to self: It's really hard to automate good customer service.

No. It's about time we stop letting the financial industry get away with incompetence. Every other software vendor would be raked over coals for not having a publicly available security disclosure email address and utterly failing to properly route a request via Twitter.

Responsible disclosure exists so that vendors have an incentive to respond to vulnerability reports in a timely manner. In fact, it is the responsible thing to publicly disclose vulnerabilities so that AmEx learns to implement a proper security reporting process.

No. I agree with almost everything you wrote, but this sort of disclosure doesn't punish the company, it punishes its _users_, and doesn't give them an easy way to make the causal connection. Unless this story is picked up by the mainstream media, how are any victims of this exploit to know that it happened because AmEx is incompetent, instead of e.g. because credit cards are risky?
This is crazy... when you go to the admin panel https://www.americanexpress.com/us/admin/ you actually get access to user cookies (session ids) which probably allow you to hijack their session (haven't tried it in case it's going to be traced back...)
Here's something I learned from AMEX last week ... if one of your cards gets compromised and you cancel the card, AMEX will continue to allow charges to flow through that old "canceled" number to your newly issued number if those charges are coming from a "trusted recurring entity". I discovered that charges were continuing to flow through a number that I'd canceled due to it being compromised even though I thought it'd been nullified. AMEX explained that their policy is to allow these charges to continue, and it took a number of months before I caught the problem because the charge was coming from a business I continued to have business with. Apparently the person that stole my number had setup a recurring charge with this business as well. To their credit, AMEX removed all of these charges even though they spanned a number of months ... but it caught me completely by surprise that a number I though was canceled was still allowing charges to flow through it.
That's standard practice for all cards, it's not just AMEX (I believe the authority is based on the account rather than the card). In the UK, there's no easy way to cancel a recurring payment on a card other than contacting the entity taking the payments. If they refuse, you can complain to the card provider and they will eventually sort it out, but payments will still go through in the meantime.

Moral of the story: Don't let anyone have a recurring payment authorisation on your card.

You can always close the CC account completely. Not ideal but it will work hard and fast.
Even if you do, you're still liable for any charges which hit the account after it's been closed, at least according to every closed account letter I've received (in the UK, not sure what the process is in other countries). Plus you can't close an account until the balance is clear.
Wow, that's insane. So, I close the account, paid in full. And a 10 days latter I receive a charge of 100 dollars and I still owe it. Would not surprise me if true.
I have an AMEX card that expired in 2007 and it is still successfully charged by AWS each month. Apparently, it's a big pain to get customers to re-enter new payment details when cards expire, as a result I believe merchants are often allowed to charge to cards that have long since expired.
Just curious ... why don't you update it?
I was once very close to a server (that was in active use) getting disconnected/wiped by a hosting provider because my CC expired, and their mail to inform me of that got lost.

Only figured that one when the site went offline, didn't come back, and I started bitching at their support.

So I have some sympathy for the CC company being lax with recurring charges on expired cards. Would be a nice service if they went ahead and called you up in such a situation.

One would think it would be common sense to double check recurring charges to a canceled card with the account holder. Then again, when have financial institutions ever followed common sense..
Not just AMEX. I had an account drained (and indeed sent quite negative) after I explicitly cancelled a Msstercard to stop two such entities who would not cancel my accounts from continuing to charge me for services I wasn't using.
This also happened to me. The problem was that the fraud was coming from one of their "Trusted Entities" (Best Buy). So on day 1 I had $500 worth of fraudulent charges, and on day 2 I had to call them back and let them know of more fraudulent charges.
The author should have contacted the email addresses given in the DNS WHOIS (amexdns@aexp.com, gtld@aexp.com) and the obvious aliases (security@...).

However I can understand and sympathize, it's enraging how hard it is to get into contact with a person of any kind at certain companies (KLM/Air France, I'm looking at you). I understand they want to save money, but if you run a business, you have to be contactable in one way or another. And snail mail as the last option really doesn't cut it in the 21st century.

KLM has a very good social media service department and should respond to most if not all question...
I did get contacted by a Twitter account after venting there, but after DM'ing (160 characters?!) my request, they couldn't help me either.

Really, why not just provide an email address? If you have someone listening and responding at @KLM in any case, why not also accept emails instead of the crippled communication possible through Twitter?

Indeed, checking the whois for emails and other things could easily work.
Some years ago when I was doing more stuff in spam and phishing I came across a phishing site for a small US bank. The list of phished card details was available through the interface and it was clear that there were some real people local to the bank who had given their name, address, card number, PIN, SSN, ... everything.

I decided to contact the bank. After filling in the form for contact on their web site giving all the details of the site, I did get an email back and eventually I got someone on the phone. This person (who said they were in charge of bank computer security) thanked me and said that they were going to try to deal with it (I had also contacted the school district whose computer was hosting the site to get it shut down).

I then told this person that there were real account details on the phisher site and would they like the list of people's account numbers so they could inform their customer/shut down their debit card etc. The bank officer replied, "No." As far as they were concerned the people who were that stupid got what they deserved.

I was flabbergasted, but couldn't do much to make the bank do something.

So, using the names and addresses of the people from the phishing site I managed to track a couple of them down (they were small businesses whose business addresses were available on the web) and phoned them up so they would be alerted. They took it pretty well considering that some weird British guy was calling them from France to tell them their US bank account details were at risk.

In my opinion that would have justified alerting the local press.
Local? Just local? I'd be as noisy about it as I could, and I would have informed the people who's info had been compromised as to just what the bank said when you offered them a list of compromised accounts.

Wouldn't you want to be informed if your bank was intentionally leaving your personal info and financial well-being at risk?

Sounds like they were trying to avoid liability. If you know person X has had his account hijacked, and you do nothing, you're probably liable under some law or another. If you don't know the exact identities involved, you can feign ignorance and probably get away with it.
A few years back, when "Verified by Visa" first came out, I was taken aback the first time I saw it. It's not at all hard to imagine that you're being phished by this strange page.

I called the customer service number for my Visa card and asked if this was a real Visa card "feature". After spending a couple of minutes asking around, nobody knew what the heck it was.

If Visa has a division that takes security seriously, they certainly need to work hard on the customer-facing aspects of it.

VbV has to be some of the worst security engineering I've ever seen. iframe content, arbitrary domain (securesuite?!), trivially guessable or resettable details.
And to add on top it looks like a con, the design is horrific.
Verified by visa is hideous security theatre. I have no idea why banks fail so hard at security. They're actively targeted by criminal gangs; they stand to lose money if they get it wrong; they have money and expertise to get it right. Yet they all suck.
They fail so hard because Visa and the banks aren't the ones liable for losses. Liability falls to you (if you don't report) or the merchant (through charge backs).

Visa and the bank make their money either way. Merchants have no choice but to "bend over and take it up the tailpipe".

There's usually a procedure for reporting lost cards which results in immediate blocking, if you really want to secure those numbers. In Lloyds it's actually pretty strict - I found some wallet one day on a street but without any contact information - called up the bank responsible for the card so that they can contact the owner with my phone number, but they wouldn't proceed before cancelling that person's card. On on hand side I can understand that action, on the other I feel bad for causing that person to request a new card when I was already standing on the street he lives on.
You could have copied the card and months later charged something on it. Someone else than the owner was in possession of that card, it was the right thing to cancel it.
Like I said - I understand why it's done and it seems to be a method of forcing some cards to be blocked ("I found cards with those numbers..."). Unfortunately it causes some issues if you actually intend to return the wallet/card to the owner.
Wow. This is a huge vulnerability. I hope they fix this very soon. The cognitive dissonance going on with that twitter conversation makes me think he was talking to a bot. Also I love the "These cookies are secure" bit on the admin interface.
(comment deleted)
// don't ask me how exactly, but this gets the main domain froma hostname;

This explains a lot. What I don't understand though, is why this guy, who doesn't understand basic regular expressions (the expression is also wrong), is working on the American Express website.

The regex:

// don't ask me how exactly, but this gets the main domain froma hostname;

  var hostArray = /([^.]+(.com))$/ 

LOL.
Target.com had an almost identical problem on their newly designed site (years in the making).
Can someone explain the origin or meaning of the word "hero" to describe primary marketing/call to action sections? I saw it first in the twitter bootstrap code [1], and now here.

[1] view-source: http://twitter.github.com/bootstrap/examples/hero.html

Hero;- An entity which is idealized for possessing superior qualities in any field.

It is someone / something that is promoting your company or product, and is a 'hero of the product X' being promoted. Kind of like how, if we mention it to our friends, we become 'heroes of hacker news' ..

I'm not so sure about the origin, but it's commonly used in design/UX to showcase one primary or "Hero" product, and refers to a large space front-and-center above the fold on a page. Think apple's site putting up a huge iPhone image on release day (http://www.sprint.com is another good example).

I think this likely started in physical product sites and the lingo just stuck.

For the longest time, American Express had a password system that only allowed 8 alphanumeric characters and was case-INSENSITIVE.

Moreover, sometimes the AJAX used to submit your payments did not activate, and often, no feedback at all was given if a payment did go through.

This kind of vulnerability seems par for course for their tech team.

Since AMEX caters to wealthier customers you would think that they would be on top of this kind of thing...
FWIW, on his homepage there's also a nice small vulnerability in reCAPTCHA. The Google developer who wrote the buggy code actually had to do a hack to shut up PHP warnings about it. Duuuh...
I don't think this is anything dangerous. All the data is static, its just some sort of demo. It doesn't matter who goes to the page, they will always get the same data, it never changes. I'm not a customer so can't try once logged in. If I was to wildly speculate, I'd say honeypot.
This is dangerous! Someone has left the debug=true in the config somewhere. Anything could be possible on the site, not just the script injection in the url and the debug page, but a lot of other stuff as well. When the debug flag is true on our sites, we have a link which will authenticate us as an admin without any credentials for example!
> When the debug flag is true on our sites, we have a link which will authenticate us as an admin without any credentials for example!

Well, get rid of that and push for a change in your company's workflow. This kind of control shouldn't be deployable to the main servers at all.

Have separate, staging servers and run your tests and debugging interfaces on it, but as much as possible, don't deploy administrator interfaces to the servers that talk to the customer. [1]

[1] I'm undecided which kinds of heisenbugs would justify breaking that lemma.

huge glaring XSS vulnerability on a credit card company's homepage is not serious? This kind of stuff is a phisher's dream
The first three Twitter messages by the vulnerability reporter are:

“@AmericanExpress Who can I contact regarding security vulnerabilities in your system? I'm not available through phone, physical mail or fax”

“@AmericanExpress Just to clarify: I have vulnerabilities. This should be "urgent", so no technical support jungle please :-)”

“@AmericanExpress I've been trying to get in touch with AMEX regarding security vulnerabilities in your system for a while. Who do I speak to?”

I think this is not ideally expressive language when you talk to a lay-person representative on Twitter. I believe a better result could be achieved with simpler and clearer language:

“@AmericanExpress I have discovered a serious security issue in your web system (money can be stolen). Please help me report it to someone responsible.”

yep, credit that the guy partially tried - but prefacing your first interaction about a serious issue by "I'm not available [to contact through most of the usual communication methods]" is sort of self-defeating.
He's reporting a vulnerability on a website. It is absolutely reasonable to expect to be able to report it through email, and utterly ridiculous of AMEX to refuse. That's where the conversation ends, not with "well, you should spend your time fighting through these costly and obsolete mechanisms so you can do us a favor".
(comment deleted)
Does going to the url https://www.americanexpress.com/us/admin/ constitute "computer hacking"? It's not protected in any way, shape or form.
(comment deleted)
Does going to the url https://www.americanexpress.com/us/admin/ constitute "computer hacking"? It's not protected in any way, shape or form.

I believe that the level of hacking/cracking required is irrelevant to most laws around the world; if you're not meant to be there, you're guilty of an offence.

I'm sure lawyers could argue intent all day long, but whether or not a logic screen appears is irrelevant.

if you're not meant to be there, you're guilty of an offence.

But how would I know? If someone's private property is not marked as such in any way, would I be a trespasser if I wander into it? Let's say it's part of a field or a forest, not a building with doors ...

But how would I know? If someone's private property is not marked as such in any way, would I be a trespasser if I wander into it?

According to this page (the first result I found in Google - there may be more reliable information out there), it's not an easy question to answer:

http://www.ucc.ie/law/odg/messages/060222b.htm

Can trespass to land be committed without fault? The answer should be obvious but I have found it surprisingly difficult to track down. I am referring, not to cases of involuntary entry onto land (there are clear cases saying no liability if you get pushed or fall unconscious), but to the sort of case where you (without carelessness) cross over someone's boundary in the bush (maybe more likely in Australia than the UK!) without knowing it

In Canada there is assumed permission unless no trespassing signs are put up (in the bush you even have right of way, they can't legally stop you!).

Also, in areas where you are legally allowed to hunt the land owner has to put up markings that mean "no, I do not give you permission to hunt" if they do not want you to hunt.

(IANAL)

more than likely, yes. see US vs. auernheimer for a recent example. the complaint is here: http://i.cdn.turner.com/dr/teg/tsg/release/sites/default/fil...

The complaint indicates that AT&T's publicly accessible endpoint is a protected computer under Title 18, United States Code, Section 1030(e)(2). a protected computer is basically any computer used for interstate or foreign commerce in the US, or outside the US if it affects the commerce thereof.

the issue hinges on intent - if you know that you're exceeding authorized access to obtain something of value. 18 USC 1030 was created in 1986 by the Computer Fraud and Abuse Act and is often panned for being incredibly broad.

See this wikipedia page for more info: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

(IANAL)

>the issue hinges on intent - if you know that you're exceeding authorized access to obtain something of value.

entertainment value?

They knew this was open. They even took it out of their robots.txt :)

https://www.americanexpress.com/robots.txt

User-agent: * Disallow: /us/admin/ Disallow: /us/heroes/ Allow:

Then there is more behind as we think. Actually we can be pretty sure someone on the web team will have pointed out that this is not good and insecure.

After seeing this i kind of get the idea why this url is in the wild.

I apologise in advance for a lack luster comment, but seeing incompetence on so many levels like this on a monthly basis from financial institutions makes me want to be sick.

This is like putting a sign out the front of your house saying please do not enter though the back window, it's open.

I look at this as a good thing. I know that if I am ever injured in such a way as to receive severe brain damage, I'll still be able to get a high-paying programming job.
Crawling robots.txt files is a great way to find fun stuff in general.
When you go through the regular PCI compliance scan they actually warn you about this...
Yikes, I wonder if that's how it was discovered in the first place. I'm no pen tester, but that's probably the first thing I would check on a target website.
If anyone happens to lose money through this vulnerability I think that provides enough evidence to make AMEX knowingly culpable.

Without that, this is just run-of-the-mill incompetence. But the Disallow: /us/admin/ indicates that they knew that URL was wide open, and failed to act.