Posted Yesterday 26 December 2008.
"Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an
XSS (cross-site scripting) exploit. As
The Register reports, this news comes after a bungled attempt to fix the problem. As
El Reg puts it,
The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.
So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to
stop XSS exploits, see our
2007 article."
XSS Vulnerabilities at AmEx Website | Maximum PC
12-26-2008
Similar Threads 
