Cross-site scripting hole in American Express site using EV SSL

Written by DP

Monday, 4 October 2010

Security researcher "SeeMe" who discovered the persistent Amazon XSS vulnerability, has also reported a cross-site scripting bug on that would allow fraudsters to carry out phishing attacks, targeted to American Express credit/debit card owners.'xss')%3C/script%3E [Mirror]                                       

The affected page uses a Verisign Extended Validation SSL certificate, which assures the visitors that the content and the domain name belong to American Express. So most probably, potential phishing attacks leveraging the XSS on the SSL site could have a high success rate.

American Express sites have been XSSed in the past.

We hope this one gets fixed very quickly...


Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.