More American Express sites vulnerable to XSS and open redirects

Written by DP

Tuesday, 5 October 2010

Three more critical vulnerabilties have been reported for The other XSS is still pending a fix.
"PaPPy" has reported an open redirect vulnerability in and one XSS bug on the card reviews forum.
"d3v1l" from Security-Sh3ll has reported a cross-site scripting hole affecting the supposedly secure American Express online rewards mall, a shopping portal that offers special offers and discounts to PASS prepaid card members at hundreds of online merchants, as well as in stores.
"Ensuring proper validation of all inputs in Web applications, in order to prevent cross-site scripting and SQL injection vulnerabilities, is actually a requirement of the Payment Card Industry Data Security Standard (PCI-DSS).", Lucian Constantine, SoftPedia's security columnist, writes.
To avoid further embarrassment, American Express must really review their data security operating policy and update it correctly in order to achieve compliance with their following statements, since they are founding members of the PCI Security Standards Council.
"Our long-standing commitment to Data Security:
Cardmembers have relied on American Express for the highest level of service and protection. In continuously addressing security issues, we have developed this Data Security Operating Policy and are working with merchants and service providers to help them establish appropriate security programs."
"Compromised data negatively impacts consumers, merchants, and card issuers. Even one incident can severely damage a company's reputation and impair its ability to effectively conduct business. Addressing this threat by implementing the American Express Data Security Operating Policy can help improve customer trust, and has the potential to increase profitability as well as enhance a company's reputation. Your customers can feel more secure and so can you."


Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.