Hacker News new | comments | show | ask | jobs | submit login
0day vulnerability full disclosure: American Express (qnrq.se)
479 points by michiel3 2261 days ago | hide | past | web | favorite | 163 comments

Typing this up in real time ...

I called American Express Australia to report the defect & I was transferred through to the American call centre.

The CSR to whom I spoke transferred me through to a different department, after I explained that I didn't have an account. She did ask whether "I received an email" which I assume was some sort of inquiry as to whether I had been phished.

I then spoke to an online services rep., who after asking for my card number, listened to my report. She then put me on hold.

(The call had taken 10 minutes by this time).

After a few more minutes on hold, the CSR came back on the line, asked me to repeat the information, and confirmed for the umpteenth time that I don't have an American Express card. I explained that it wasn't my find, but that it had been published online & so was by now _very_ public.

(15 minutes by this time, most of that on hold listening to advertising for American Express, including some ironic praise for their website).

CSR comes back on the line. She's spoken to her 'technical team' who assure me that there's nothing insecure going on because it's all over HTTPS. So I politely walked her through the process - visit the page, add ?debug to the URL, click the admin link & behold: lots of should-be-secure stuff.

At this point she thanks me profusely, & asks that I hold while she speaks to her supervisor. Back to the American Express ads ...

(20 minutes at this point).

The CSR came back on the line, thanked me again, & said that her supervisor had taken a screenshot of the issue & escalated it. Job done.

So, yeah, I can totally understand the frustration experienced by the guy who discovered the vulnerability. But it certainly wasn't impossible for me to report the issue, & I'm in Australia.

(I didn't mention that there was a pregnant pause after she clicked the Admin Home link & saw the admin page in all its glory. I think the only sound was, as Scott Adams put it, the sound of eyeballs getting really big.)

Do remember that for every real serious problem such as this, American Express and any other large company receives a hundred or a thousand calls for non-issues like phishing or minor issues like a compromised card number to cancel and reissue. The system is optimized for these common cases; the edge case of a real public vulnerability will require extra effort and it's not a failing of Amex that the system is so.

I agree in principle, but a core part of their business is maintaining the integrity of a system. When you combine this with some of the statements they have made regarding their password policy, it makes me as a paying customer very concerned about their approach to cyber-security. THey have excellent fraud prevention, but I'd really like to see them make some strides in this area.

when the cost of a false negative is so damn high, you'd think they would know not to filter so aggressively

If they didn't filter aggressively, that would mean that their more technical staff would be deluged with crap.

And then quit.

I was operations/development at an ISP once, had three layers of acceptably competent support techs between the customer and I and a serious reputation as a fire breathing dragon if a non-issue was escalated to me - but -still- regularly lost half my day dealing with escalated "urgent problems" that were neither.

at some point, all the people dealing with the false positives will be costlier.

Seriously? I won't take American Express anytime soon, I can tell you that. If this gets picked up in mainstream media, it is devastating.

More likely: people will be assured the problem is fixed, and then not care.

Let me rephrase: you'd hope they would know...

> it's not a failing of Amex that the system is so.

Actually, it is. They failed. Their system was open for years in secret, and at least hours after someone tried to point out the problem to them.

It's not the CS rep's fault. But it is their boss's fault, all the way up to the top.

You misinterpreted me. What I said is that the extra effort needed to report this vulnerability isn't a fault of the Amex customer service system. Of course it's a faulty deployment process that allowed this to happen in the first place. But as far as escalating a trouble report from an ordinary consumer, what happened does seem pretty reasonable.

Flip it around: what if Amex (or any other large company) made it easy to escalate everything to a technologically capable supervisor right away? Those supervisors would be deluged in uninformed, irrelevant, and just plain wrong security reports. Filtering out the signal from the noise in the security landscape is a monumental task in itself. As tech savvy hackers, we always think we're entitled to say "I know what I'm doing so escalate me over the idiots", but how does a company or CSR tell whether that's actually true?

You are absolutely correct.

The dozen or so hackers in this thread that expect that "security vulnerability" is some magic keyword that gets you talking to the head technical honcho of the security group have probably never answered phone calls for a big company. Phone support for somebody like AmEx is a huge burden of cost and manpower; the structure of the tree has been set firmly in place since the 1980's to take care of the most common 90% of issues using the least-paid person available. I'm sorry, if you're in the long tail you will just have to expect to wait extra. That goes double if you are not a cardmember (read: paying customer).

I am surprised that the above person in Australia got through at all, and that the CSR had latitude to try to spend time replicating the issue. In my opinion, for a credit card company, 20 minutes and a positive conclusion for a matter as rare as reporting a webapp vulnerability is a success.

Sure, none of you should be thrilled about the situation because as technically-oriented people with generous motives the system is not set up to serve you. But that's not a failure of the system, except maybe from your own individual perspective. Believe me, AmEx has done the cost-benefit analysis and they are saving boatloads of money by having those rare well-intentioned hackers listen to some hold music, because it is too expensive to sort you out from the thousands of loonies that got a phishing email. Security breaches are an acknowledged risk and they are already prepared to absorb their effects on multiple levels.

In a way it is a failure of the system, in that it is much easier to simply post the vulnerability on your blog or a full-disclosure mailing list than 'officially' report it. This could potentially cost them large amounts of money.

Why would finding a vulnerability give you the moral imperative to waste so much time reporting it? Especially if you're not a customer or otherwise affected by it? I know I wouldn't.

This is why companies like Google have a security issue submit form. Sure, some lower-wage people will be filtering it, but at least they will have had training to separate the important from the unimportant problems. And for a bank, security is even more paramount.

> Sure, none of you should be thrilled about the situation because as technically-oriented people with generous motives the system is not set up to serve you. But that's not a failure of the system, except maybe from your own individual perspective. Believe me, AmEx has done the cost-benefit analysis and they are saving boatloads of money by having those rare well-intentioned hackers listen to some hold music

Which is why we shouldn't jump through their hoops. If we do we let them get away with it. If we didn't they'd be forced to pay more attention.

The well-meaning person in this thread did them and us a disservice by going so far out of his way.

I would assume a credit card company or bank had a technical security support team.

Funny thing is: he didn't even try that, because he didn't accept under any circumstances to communicate by phone, fax or snail mail.

He made this big, boldface disclaimer with twitter screenshots and all trying to claim "best effort is good enough" and "they won't listen", but all I saw was them listening and him refusing to speak.

Erm, no. Dude if I spend my time figuring out vulnerabilities to your system and don't exploit em, instead help you close them, and I am not even a cardholder... I will not jump through any hoops for any amount of my time. They owe me, I owe them shit. I am being kind and generous by not exploiting or giving the exploit to others, or using it to fuck up AMEX reputation.

Especially true if I want my anonymity preserved.

Jumping through hoops? Dude he got in contact with someone. Instead he got a "piss off" response.

I for one think it's a seriously unrealistic expectation to think that AMEX or insert large corp here will handle security vulnerabilities over twitter.

It's the equivalent of telling a teller or their doorman about it.

> I for one think it's a seriously unrealistic expectation to think that AMEX or insert large corp here will handle security vulnerabilities over twitter.

a) Agree. b) That said, I think the fact that the person on the other end of the American Express Twitter account was accepting to talk to the guy over DM, and thereby actually /was/ willing to handle a security vulnerability over Twitter, is the most damning argument against this guy's rant; he insisted on using a "modern protocol", but apparently telling someone using Twitter, when they were perfectly happy to let him do so, was not modern enough: he insisted it be on his terms or no terms, e-mail or nothing.

No, he did not appear to want to discuss it over twitter either. They offered that.

I assume he was looking for a specific email address and perhaps a PGP key. Sure, that would be nice. But using the telephone is a pretty common method of transmitting important, time-sensitive information.

Worrying about keeping the information private is inconsistent with posting it publicly.

As someone who does community management/marketing, I take claims like security issues very seriously. If someone at 4pm messaged such over Twitter to my startup, I'd call the CEO and all engineers immediately, regardless of the time. I don't think I'm a doorman there, but rather the first line of defense/listening.

The key word in your post is "startup". Most CSRs of AMEX have probably not even seen their CEO in person, let alone "call him immediately".

Their bosses bosses' have never seen their CEOs. I bet you there's a good chance a CSR doesn't even know their CEO's name.

I certainly didn't back when I worked at $IMMENSE_FINANCIAL_INSTITUTIONs

To be fair, he asked repeatedly for a proper security contact and claims they don't publish one for whatever reason.

If the only way to contact you is through clueless support people who have a script that doesn't include your option, yeah, that's a problem. But usually it's the customer who is screwed by this. This time, it bit the company instead.

That said, you can always ask if someone knows a security contact on BugTraq. Someone there will probably know.

He was trying to handle it over email. He was just asking the doorman for directions to the manager's office.

The hacker didn't want to use Twitter either...

And what do you think the doorman/receptionist is for?

Well, I didn't get a "piss off" response, I got a nice warm thank you. Perhaps he could have persevered just a bit? I had to do a bit of hand-holding to get the CSR to whom I spoke to understand the problem, but once she did, it was easy.

At first glance you made some progress and that makes him seem unrealistic in his demands for electronic communication, but what makes you think that the issue was reported properly upstream? I think that you got lucky to find someone who understood that it was a real problem, and unless they have an internal escalation procedure in place, there's a decent chance it will die with her or her supervisor. There's really no way of knowing if your report had any effect or not. Other large corporations have measures in place to handle vulnerability reports, it seems like a problem for a large CC provider to not have a clear procedure in place for handling these issues.

When a non-customer does you the courtesy of pointing out serious flaws in your system, you do not ask them to detail it publicly via twitter.

Nor is it a good idea to make them jump through hoops. You know what method of disclosure doesn't have hoops? Posting an email to the Full Disclosure mailing list.

Look. I'm all for giving the company a chance but if you put up arbitrary hoops up for me to jump through... Why shouldn't I take the path of least resistance again?

I have to agree with the others here, while you may have done what you believe is the "right" thing, you have absolutely no idea if that avenue of inquiry went anywhere, and based on my experience working in an enterprise, I would guess that even if it did go anywhere from there it would take weeks for meetings to get scheduled, and months for people to get assigned to actually do anything about it.

I disagree. If you want to be a black hat and exploit or sell the vulnerability, then fine. But if you're going to claim to be a good guy, you need to make more than a half-hearted effort to do the right thing.

In this case, the exploit is so simple and obvious that he could have fit it in a twitter DM (which is a method of communication that was specifically offered to him)

No. The only way to be a bad guy is to exploit the vulnerability. He didn't do anything wrong, he did something very right that most people couldn't and wouldn't have done, and he was rebuffed for it.

It's not like they're owed this. If not for this good guy wasting his time trying to contact them and publishing this they'd have probably been vulnerable for years.

The person in the thread who made the call could only have done so with the help of the initial disclosure. He couldn't have helped make Amex more secure until the security researcher showed him how.

Now Amex is more secure than yesterday.

i agree with you that preserving anonymity is a valid goal. spending 20-30 minutes on the phone is not how one should run something like a whistle-blower's hotline.

i don't agree with the idea that you are "...being kind and generous by not exploiting...".

I'm curious, if notifying them instead of exploiting the bug doesn't qualify as 'kind', then what do you call it?

As far as im concerned that's being bloody gracious and generous.

yes, notifying them is kind. simply not exploiting them is not.

it's like saying i'm being kind for not robbing someone.

Is more like, I found your wallet here it is and all the money is still there. Perhaps honorable is the right word we are looking for here.

hardly. exploiting the vulnerability is clearly and objectively illegal. It is likely to affect not only the company itself but also any innocent customers one might defraud.

Why should he? The company was trying to be hard to reach to control costs. It cost them in another way. Life is tough.

This is financial infrastructure, there's a higher bar. I think the government should mandate that we give the hacker who discovers the hole 2% of the company's profits for the year... If not, nationalize them and rid us all of the useless frictional costs.

Someone signed up for their Wells Fargo account with my email address. For weeks, I tried to get in contact with Wells Fargo about the problem. I spent a lot of time on the phone with the 'security team' and nothing ever came of it. In the end, I kept receiving all of this person's banking information.

It wasn't so much a security problem so much as it was annoying to get this person's banking info all the time. (I assume I would have needed more than access to email to get into his account.)

In the end, after several phone calls and then tweeting at Wells Fargo, it was the Facebook reps that were able to get someone to call me and sort the problem out. The rep who called even verified that the first three of my social didn't match the account holder, so it wasn't identity theft.

Completely annoying but in the end, it just took finding that one person that understood and cared to help.

Ironically the page is available over both https and http.

Some years ago when I was doing more stuff in spam and phishing I came across a phishing site for a small US bank. The list of phished card details was available through the interface and it was clear that there were some real people local to the bank who had given their name, address, card number, PIN, SSN, ... everything.

I decided to contact the bank. After filling in the form for contact on their web site giving all the details of the site, I did get an email back and eventually I got someone on the phone. This person (who said they were in charge of bank computer security) thanked me and said that they were going to try to deal with it (I had also contacted the school district whose computer was hosting the site to get it shut down).

I then told this person that there were real account details on the phisher site and would they like the list of people's account numbers so they could inform their customer/shut down their debit card etc. The bank officer replied, "No." As far as they were concerned the people who were that stupid got what they deserved.

I was flabbergasted, but couldn't do much to make the bank do something.

So, using the names and addresses of the people from the phishing site I managed to track a couple of them down (they were small businesses whose business addresses were available on the web) and phoned them up so they would be alerted. They took it pretty well considering that some weird British guy was calling them from France to tell them their US bank account details were at risk.

A few years back, when "Verified by Visa" first came out, I was taken aback the first time I saw it. It's not at all hard to imagine that you're being phished by this strange page.

I called the customer service number for my Visa card and asked if this was a real Visa card "feature". After spending a couple of minutes asking around, nobody knew what the heck it was.

If Visa has a division that takes security seriously, they certainly need to work hard on the customer-facing aspects of it.

VbV has to be some of the worst security engineering I've ever seen. iframe content, arbitrary domain (securesuite?!), trivially guessable or resettable details.

And to add on top it looks like a con, the design is horrific.

Verified by visa is hideous security theatre. I have no idea why banks fail so hard at security. They're actively targeted by criminal gangs; they stand to lose money if they get it wrong; they have money and expertise to get it right. Yet they all suck.

They fail so hard because Visa and the banks aren't the ones liable for losses. Liability falls to you (if you don't report) or the merchant (through charge backs).

Visa and the bank make their money either way. Merchants have no choice but to "bend over and take it up the tailpipe".

Sounds like they were trying to avoid liability. If you know person X has had his account hijacked, and you do nothing, you're probably liable under some law or another. If you don't know the exact identities involved, you can feign ignorance and probably get away with it.

In my opinion that would have justified alerting the local press.

Local? Just local? I'd be as noisy about it as I could, and I would have informed the people who's info had been compromised as to just what the bank said when you offered them a list of compromised accounts.

Wouldn't you want to be informed if your bank was intentionally leaving your personal info and financial well-being at risk?

There's usually a procedure for reporting lost cards which results in immediate blocking, if you really want to secure those numbers. In Lloyds it's actually pretty strict - I found some wallet one day on a street but without any contact information - called up the bank responsible for the card so that they can contact the owner with my phone number, but they wouldn't proceed before cancelling that person's card. On on hand side I can understand that action, on the other I feel bad for causing that person to request a new card when I was already standing on the street he lives on.

You could have copied the card and months later charged something on it. Someone else than the owner was in possession of that card, it was the right thing to cancel it.

Like I said - I understand why it's done and it seems to be a method of forcing some cards to be blocked ("I found cards with those numbers..."). Unfortunately it causes some issues if you actually intend to return the wallet/card to the owner.

They knew this was open. They even took it out of their robots.txt :)


User-agent: * Disallow: /us/admin/ Disallow: /us/heroes/ Allow:

I apologise in advance for a lack luster comment, but seeing incompetence on so many levels like this on a monthly basis from financial institutions makes me want to be sick.

This is like putting a sign out the front of your house saying please do not enter though the back window, it's open.

I look at this as a good thing. I know that if I am ever injured in such a way as to receive severe brain damage, I'll still be able to get a high-paying programming job.

Then there is more behind as we think. Actually we can be pretty sure someone on the web team will have pointed out that this is not good and insecure.

After seeing this i kind of get the idea why this url is in the wild.

Crawling robots.txt files is a great way to find fun stuff in general.

When you go through the regular PCI compliance scan they actually warn you about this...

here is another robots.txt file: https://home.americanexpress.com/robots.txt

Yikes, I wonder if that's how it was discovered in the first place. I'm no pen tester, but that's probably the first thing I would check on a target website.

If anyone happens to lose money through this vulnerability I think that provides enough evidence to make AMEX knowingly culpable.

Without that, this is just run-of-the-mill incompetence. But the Disallow: /us/admin/ indicates that they knew that URL was wide open, and failed to act.

The first three Twitter messages by the vulnerability reporter are:

“@AmericanExpress Who can I contact regarding security vulnerabilities in your system? I'm not available through phone, physical mail or fax”

“@AmericanExpress Just to clarify: I have vulnerabilities. This should be "urgent", so no technical support jungle please :-)”

“@AmericanExpress I've been trying to get in touch with AMEX regarding security vulnerabilities in your system for a while. Who do I speak to?”

I think this is not ideally expressive language when you talk to a lay-person representative on Twitter. I believe a better result could be achieved with simpler and clearer language:

“@AmericanExpress I have discovered a serious security issue in your web system (money can be stolen). Please help me report it to someone responsible.”

yep, credit that the guy partially tried - but prefacing your first interaction about a serious issue by "I'm not available [to contact through most of the usual communication methods]" is sort of self-defeating.

He's reporting a vulnerability on a website. It is absolutely reasonable to expect to be able to report it through email, and utterly ridiculous of AMEX to refuse. That's where the conversation ends, not with "well, you should spend your time fighting through these costly and obsolete mechanisms so you can do us a favor".

Here's something I learned from AMEX last week ... if one of your cards gets compromised and you cancel the card, AMEX will continue to allow charges to flow through that old "canceled" number to your newly issued number if those charges are coming from a "trusted recurring entity". I discovered that charges were continuing to flow through a number that I'd canceled due to it being compromised even though I thought it'd been nullified. AMEX explained that their policy is to allow these charges to continue, and it took a number of months before I caught the problem because the charge was coming from a business I continued to have business with. Apparently the person that stole my number had setup a recurring charge with this business as well. To their credit, AMEX removed all of these charges even though they spanned a number of months ... but it caught me completely by surprise that a number I though was canceled was still allowing charges to flow through it.

That's standard practice for all cards, it's not just AMEX (I believe the authority is based on the account rather than the card). In the UK, there's no easy way to cancel a recurring payment on a card other than contacting the entity taking the payments. If they refuse, you can complain to the card provider and they will eventually sort it out, but payments will still go through in the meantime.

Moral of the story: Don't let anyone have a recurring payment authorisation on your card.

You can always close the CC account completely. Not ideal but it will work hard and fast.

Even if you do, you're still liable for any charges which hit the account after it's been closed, at least according to every closed account letter I've received (in the UK, not sure what the process is in other countries). Plus you can't close an account until the balance is clear.

Wow, that's insane. So, I close the account, paid in full. And a 10 days latter I receive a charge of 100 dollars and I still owe it. Would not surprise me if true.

I have an AMEX card that expired in 2007 and it is still successfully charged by AWS each month. Apparently, it's a big pain to get customers to re-enter new payment details when cards expire, as a result I believe merchants are often allowed to charge to cards that have long since expired.

I was once very close to a server (that was in active use) getting disconnected/wiped by a hosting provider because my CC expired, and their mail to inform me of that got lost.

Only figured that one when the site went offline, didn't come back, and I started bitching at their support.

So I have some sympathy for the CC company being lax with recurring charges on expired cards. Would be a nice service if they went ahead and called you up in such a situation.

One would think it would be common sense to double check recurring charges to a canceled card with the account holder. Then again, when have financial institutions ever followed common sense..

Just curious ... why don't you update it?

Because it works

Not just AMEX. I had an account drained (and indeed sent quite negative) after I explicitly cancelled a Msstercard to stop two such entities who would not cancel my accounts from continuing to charge me for services I wasn't using.

This also happened to me. The problem was that the fraud was coming from one of their "Trusted Entities" (Best Buy). So on day 1 I had $500 worth of fraudulent charges, and on day 2 I had to call them back and let them know of more fraudulent charges.

The author should have contacted the email addresses given in the DNS WHOIS (amexdns@aexp.com, gtld@aexp.com) and the obvious aliases (security@...).

However I can understand and sympathize, it's enraging how hard it is to get into contact with a person of any kind at certain companies (KLM/Air France, I'm looking at you). I understand they want to save money, but if you run a business, you have to be contactable in one way or another. And snail mail as the last option really doesn't cut it in the 21st century.

Extremely hard to get in touch with Google as well. And you only tend to realise it when something goes horribly wrong - like when your adsense account gets suspended.

Yeah, but it's not hard to report a security problem: https://www.google.com/appserve/security-bugs/new?rl=usrwf3z...

KLM has a very good social media service department and should respond to most if not all question...

I did get contacted by a Twitter account after venting there, but after DM'ing (160 characters?!) my request, they couldn't help me either.

Really, why not just provide an email address? If you have someone listening and responding at @KLM in any case, why not also accept emails instead of the crippled communication possible through Twitter?

Indeed, checking the whois for emails and other things could easily work.

Wow. All you need to do to activate this is append ?debug to the main American Express URL: https://www.americanexpress.com/?debug

When a major company, especially a financial services company, is subject to public security vulnerability disclosures like this, it should really make other companies stand up and take notice. There is absolutely no excuse for these kinds of vulnerabilities to exist on a production system. When Citibank was recently hacked by simply changing the account number in URLs, that should have been enough for other financial institutions to do an internal security audit to make sure they weren't susceptible to anything similar. Don't wait until it's too late. For the sake of their customers I hope this is resolved swiftly.

It seems the bigger the company is the more irresponsible they become. In UK in the bank I use, you can activate protection of your debit card / current account (usage analysis, higher insurance), but to do that you need to register with Experian (credit rating company). The process for that is: put your recent bill, bank statement and photocopy of ID in an envelope and post it to them via normal mail.

I decided to ignore that great offer and keep my account secure in traditional way. Apparently ignorance with regards to the internet sites is not what causes big companies to act in stupid ways. It's the whole mindset...

I'm pretty sure normal mail is generally quite secure. Sure, there's very little barrier to someone opening your envelope, but perhaps because the ratio of sensitive stuff vs. letters to grandma is so low, I'm not aware of it ever happening much.

There's one big difference in those letters though. The letter to grandma will be addressed to a person. The letter with documents for Experian will be addressed to... Experian, which is a known company dealing with money and personal data.

True, but the sheer volume of mail makes sorting through it a formidable task. The US Postal Service has sorting capacity like you wouldn't believe.

A criminal could in theory target Experian's mailing address, so perhaps it simply comes down to whether you believe they can secure their property.

Not to mention that that's a trivial security mistake. ActiveRecord makes it very easy to just "read" the id, and ignore whether or not the user actually has access to it, or just guessed the id. Any operation using an id needs to be checking if you actually have rights to the object. Yes it requires an extra SELECT before you UPDATE or an extra condition (my ORM doesn't do that), but it's secure.

// don't ask me how exactly, but this gets the main domain froma hostname;

This explains a lot. What I don't understand though, is why this guy, who doesn't understand basic regular expressions (the expression is also wrong), is working on the American Express website.

The regex:

// don't ask me how exactly, but this gets the main domain froma hostname;

  var hostArray = /([^.]+(.com))$/ 


Next time, I would try reaching their Public Relations group for help. PR people are almost always accessible by name, phone, and email -- they're usually on the bottom of every press release that goes out. They also have good internal channels to every part of the company and know who to contact.

Googling for "american express public relations" turns up a page with three NY-based vice presidents, with direct lines and email addresses listed: http://about.americanexpress.com/news/media_contacts.aspx

Unrelated, it looks like someone at AmEx finally improved their crazy, broken password system at least, this used to be the password requirement:

"Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, , $, @) and be different from your User ID."*

Now it's this:

"Your Password must be different from your User ID, must contain 8 to 20 characters, including one letter and number, may include the following characters: %,&, _, ?, #, =, -, cannot have any spaces and will not be case sensitive."

Is the "will not be case sensitive" just a typo or do they enforce case insensitivity?! If they do, that's horrendous.

Try logging into various sights with a case-flipped version of your password, you'd be surprised(horrified?) how often it works

I assume it means that case insensitivity is a "feature" of the password system.

Can someone explain the origin or meaning of the word "hero" to describe primary marketing/call to action sections? I saw it first in the twitter bootstrap code [1], and now here.

[1] view-source: http://twitter.github.com/bootstrap/examples/hero.html

I'm not so sure about the origin, but it's commonly used in design/UX to showcase one primary or "Hero" product, and refers to a large space front-and-center above the fold on a page. Think apple's site putting up a huge iPhone image on release day (http://www.sprint.com is another good example).

I think this likely started in physical product sites and the lingo just stuck.

Hero;- An entity which is idealized for possessing superior qualities in any field.

It is someone / something that is promoting your company or product, and is a 'hero of the product X' being promoted. Kind of like how, if we mention it to our friends, we become 'heroes of hacker news' ..

Oh wow, unprotected admin tools and an XSS vulnerability on their main homepage that is used for customer logins. That's pretty bad.

The utter lack of a mechanism to report bugs, particularly security bugs, seems far worse.

I've encountered this problem frequently when interacting with various organizations. The pervasive availability of bug-tracking systems and/or bug-reporting email addresses makes the absence of one quite conspicuous.

I've many seen organizations applying spam filtering on their security@org.org address, leading to tons of reports ending up in spam boxes without being noticed by the company. The researcher doesn't receive any feedback on his responsible disclosure and multiple reminders, and finally submits the vulnerability to a full disclosure list.

Even worse: some businesses apply spam filtering to their abuse@ address, which thus rejects reports of spam as...spam.

This is crazy... when you go to the admin panel https://www.americanexpress.com/us/admin/ you actually get access to user cookies (session ids) which probably allow you to hijack their session (haven't tried it in case it's going to be traced back...)

Surely a DM message to the AskAmex account, with some actual details written in clear English, not jargon or "hacker lingo stuff" would have been more suitable? Or asking someone on here like Thomas to make a phone call?

I understand the argument between full disclosure and responsible disclosure, but if the author could have DM'd it on Twitter. Or posted it on Twitter wholesale, since its now public anyway.

The operator of the AskAmex account seemed completely clueless on security-related matters. I doubt saying, "visit this URL: https://www.americanexpress.com/?debug=true&heroOverride... would have registered as a problem for her.

AMEX made it incredibly difficult for this guy to report the issue to anyone who had the slightest clue as to its severity. Banging his head against the wall until someone finally clued in would not have fixed that communication issue. Full disclosure just might.

All the more reason to make as clear and straightforward a declaration as possible. Not "I have vulnerabilities", but a DM saying "American Express is leaking customer information at this URL and it is imperative this is reported to your security department." It's their problem to escalate if they don't understand, but you have to give enough information to make escalation possible.

Agreed Robin - it's likely that the person operating the twitter account for most huge companies has minimal, if any, interaction with IT/security and its lingo.

Speak plainly people.

How much more plain than "Who can I contact regarding security vulnerabilities in your system" can you get? When she asked what kind of vulnerabilities, would saying, "unsecured admin panel and xss allowing for session jacking and spoofing" really have been more meaningful than what he said? Even saying "unsecured admin panel" on twitter would have sent people scrambling for it. He was attempting responsible disclosure before he turned to full disclosure.


All you guys (not targeted specifically at you here) that say 'He tried it in a clear way': Call one of the lesser technical inclined people in your family/among your friends. Tell them you've just read about a security vulnerability and wonder if they could describe what that is to one (possibly less technical inclined) people in their family/among their friends.

That's essentially what you're looking at if you throw these words at a corporate marketing (with some links to support) drone that needs to fill in his/her supervisors to make anything special happen.

You cannot send a direct message to a user who is not following you.

It's amazing that such a huge oversight can be made. I hope American Express doesn't try to sue this guy.

The admin page is completely unprotected, you don't even get a notice about the system being private. They can't sue him, they wouldn't have a leg to stand on.

To me it looks like somebody left a "DEBUG = True" somewhere on the site and went to the beach :)

They can't sue him, they wouldn't have a leg to stand on.

Why not? I've been clicking around various US laws and have yet to see any mention about a login screen or "Go away, private!" messages being required before it counts as unauthorized access:


The question is, is the disclosure of this (technically public) resource location litigation material?

IANAL, but I can definitely see both sides of this debate being highly defensible.

In the US the first time you sue someone can be for any reason. It's only considered abusive if you do it several times without reason.

Indeed. Perhaps it would have been better to publish the exploit anonymously. It's definitely not too useful in terms of street cred -- while we all appreciate discovery of security bugs, it takes no skill and is a common script-kiddie method to just try /admin, etc., after URLs, so there is not much value professionally in having your real name tied to it, but significant risk and harassment issues come into play, especially in a big thing like this where the ire of angry and/or fleeced customers can easily be manipulated and misdirected.

Financial services are, of course, among the most cautious of organisations - which makes this kind of glaring mistake all the more worrying. Astonishing.

Surely this is just a honeypot?

It could have been. Except, you can't leave your valuables on the street and then arrest someone for breaking and entering when they're stolen!

Except, you can't leave your valuables on the street and then arrest someone for breaking and entering when they're stolen!

Agreed, that would be theft:

Theft by finding occurs when someone who chances upon an object which seems abandoned takes possession of the object but fails to take steps to establish whether the object is abandoned and not merely lost or unattended


Does going to the url https://www.americanexpress.com/us/admin/ constitute "computer hacking"? It's not protected in any way, shape or form.

Does going to the url https://www.americanexpress.com/us/admin/ constitute "computer hacking"? It's not protected in any way, shape or form.

I believe that the level of hacking/cracking required is irrelevant to most laws around the world; if you're not meant to be there, you're guilty of an offence.

I'm sure lawyers could argue intent all day long, but whether or not a logic screen appears is irrelevant.

if you're not meant to be there, you're guilty of an offence.

But how would I know? If someone's private property is not marked as such in any way, would I be a trespasser if I wander into it? Let's say it's part of a field or a forest, not a building with doors ...

But how would I know? If someone's private property is not marked as such in any way, would I be a trespasser if I wander into it?

According to this page (the first result I found in Google - there may be more reliable information out there), it's not an easy question to answer:


Can trespass to land be committed without fault? The answer should be obvious but I have found it surprisingly difficult to track down. I am referring, not to cases of involuntary entry onto land (there are clear cases saying no liability if you get pushed or fall unconscious), but to the sort of case where you (without carelessness) cross over someone's boundary in the bush (maybe more likely in Australia than the UK!) without knowing it

In Canada there is assumed permission unless no trespassing signs are put up (in the bush you even have right of way, they can't legally stop you!).

Also, in areas where you are legally allowed to hunt the land owner has to put up markings that mean "no, I do not give you permission to hunt" if they do not want you to hunt.


more than likely, yes. see US vs. auernheimer for a recent example. the complaint is here: http://i.cdn.turner.com/dr/teg/tsg/release/sites/default/fil...

The complaint indicates that AT&T's publicly accessible endpoint is a protected computer under Title 18, United States Code, Section 1030(e)(2). a protected computer is basically any computer used for interstate or foreign commerce in the US, or outside the US if it affects the commerce thereof.

the issue hinges on intent - if you know that you're exceeding authorized access to obtain something of value. 18 USC 1030 was created in 1986 by the Computer Fraud and Abuse Act and is often panned for being incredibly broad.

See this wikipedia page for more info: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act


>the issue hinges on intent - if you know that you're exceeding authorized access to obtain something of value.

entertainment value?

This is kind of a cool debug interface. Anyone feel like forking it and putting it on Github?

I work at AXP and have escalated internally

I'll bet you that reporting this on HN is a more effective way than going through channels.

For the longest time, American Express had a password system that only allowed 8 alphanumeric characters and was case-INSENSITIVE.

Moreover, sometimes the AJAX used to submit your payments did not activate, and often, no feedback at all was given if a payment did go through.

This kind of vulnerability seems par for course for their tech team.

FWIW, on his homepage there's also a nice small vulnerability in reCAPTCHA. The Google developer who wrote the buggy code actually had to do a hack to shut up PHP warnings about it. Duuuh...

The admin page is still there. Amazing.

google + "Amex security response team" = eirp@aexp.com



Don't you think then that if you asked their customer services via twitter for a way to report a security issue that the customer service rep should have sent that address?

Should have? Maybe. But, with corporations that size it's unlikely. I'm not saying this fall entirely on him, but I feel he didn't exactly do his fullest before puling the trigger on the full disclosure.

I don't consider telephone contact for security vulnerabilities to be that unreasonable. They should support PGP encrypted email, yes, and have a page about how to report incidents, issue tracking numbers, etc., but it took me ~3 minutes on the phone to get the right info for Amex corporate security.

Unfortunately, I've had this kind of difficulty far too often when reaching out to large companies with disclosures. Most recently, the only thing that worked was blasting off an email to all the internal people I could find through google: the CTO, vp of engineering, and head of support were on the list, as were a few lower level employees. The lower level got back to me right away, eager to cc the CTO on their response =)

08:39 PST: the page says it's removed for me.


Check out the site now, it looks like this has been fixed. At the very least, not bad response time on their part once they got wind of it.

I empathize with the developer, but this disclosure is wildly irresponsible.

It's a pain contacting live representatives at any large corporation. When you're dealing with the financial industry, you should grit your teeth and find a way to do it anyway. If you have no choice, publish a warning about the exploit, but don't release all the details without a long warning period.

No. It's about time we stop letting the financial industry get away with incompetence. Every other software vendor would be raked over coals for not having a publicly available security disclosure email address and utterly failing to properly route a request via Twitter.

Responsible disclosure exists so that vendors have an incentive to respond to vulnerability reports in a timely manner. In fact, it is the responsible thing to publicly disclose vulnerabilities so that AmEx learns to implement a proper security reporting process.

No. I agree with almost everything you wrote, but this sort of disclosure doesn't punish the company, it punishes its _users_, and doesn't give them an easy way to make the causal connection. Unless this story is picked up by the mainstream media, how are any victims of this exploit to know that it happened because AmEx is incompetent, instead of e.g. because credit cards are risky?

FYI, this is one of the few good uses for LinkedIn. If you need to access the engineering department, the ordinary external avenues are usually going to fall flat, and that only becomes increasingly true as the target organization expands. However, hopping on LinkedIn you can find an engineer or someone who at least has engineering buddies within AmEx and similarly monolithic corporations in seconds.

As an Amex cardholder, I can attest to the fact that getting in touch with their service reps, should you happen to not have your card on hand, is a pain in the ass. They have many obstacles in place to prevent talking to non-members.

I agree, but this is a complete fail by AmEx. They don't even have a way to report or check on phishing emails from their contact page. THAT would have been the way I would have tried to get in contact with them to help them out. Hopefully, if nothing else, they'll get some sort of scam alert response.

Note to self: It's really hard to automate good customer service.

So 90 comments and no mention of "didn't he try emailing security@americanexpress.com". That would be my first step, not harassing a marketing account on Twitter. Marketing campaigns are often run by third-party companies. Whoever gets security@ emails, not so much.

If you want to inflate your ego, post to full-disclosure; don't annoy people on Twitter and blog about it.

Target.com had an almost identical problem on their newly designed site (years in the making).

Since AMEX caters to wealthier customers you would think that they would be on top of this kind of thing...


Hence the bug report. :) Misconfiguration, most likely.

"Hence the bug report."

The story was posted an HOUR ago! They're a bank! Imagine the number of criminals swarming over their website by now. You'd think they'd react quicker. Or maybe the bosses there aren't aware of the implications of this disclosure.

Ugh, it would just be easier to sell the vuln than try to inform one of these clueless dinosaur companies about it. I know why companies like Amex build these giant fortresses around their communications, but they should be more cognizant of the damage that can cause.

Wow. This is a huge vulnerability. I hope they fix this very soon. The cognitive dissonance going on with that twitter conversation makes me think he was talking to a bot. Also I love the "These cookies are secure" bit on the admin interface.

protip: if you're a bank or credit card company you need top security folks and procedures. just a thought.

I don't think this is anything dangerous. All the data is static, its just some sort of demo. It doesn't matter who goes to the page, they will always get the same data, it never changes. I'm not a customer so can't try once logged in. If I was to wildly speculate, I'd say honeypot.

This is dangerous! Someone has left the debug=true in the config somewhere. Anything could be possible on the site, not just the script injection in the url and the debug page, but a lot of other stuff as well. When the debug flag is true on our sites, we have a link which will authenticate us as an admin without any credentials for example!

> When the debug flag is true on our sites, we have a link which will authenticate us as an admin without any credentials for example!

Well, get rid of that and push for a change in your company's workflow. This kind of control shouldn't be deployable to the main servers at all.

Have separate, staging servers and run your tests and debugging interfaces on it, but as much as possible, don't deploy administrator interfaces to the servers that talk to the customer. [1]

[1] I'm undecided which kinds of heisenbugs would justify breaking that lemma.

huge glaring XSS vulnerability on a credit card company's homepage is not serious? This kind of stuff is a phisher's dream

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact