I called American Express Australia to report the defect & I was transferred through to the American call centre.
The CSR to whom I spoke transferred me through to a different department, after I explained that I didn't have an account. She did ask whether "I received an email" which I assume was some sort of inquiry as to whether I had been phished.
I then spoke to an online services rep., who after asking for my card number, listened to my report. She then put me on hold.
(The call had taken 10 minutes by this time).
After a few more minutes on hold, the CSR came back on the line, asked me to repeat the information, and confirmed for the umpteenth time that I don't have an American Express card. I explained that it wasn't my find, but that it had been published online & so was by now _very_ public.
(15 minutes by this time, most of that on hold listening to advertising for American Express, including some ironic praise for their website).
CSR comes back on the line. She's spoken to her 'technical team' who assure me that there's nothing insecure going on because it's all over HTTPS. So I politely walked her through the process - visit the page, add ?debug to the URL, click the admin link & behold: lots of should-be-secure stuff.
At this point she thanks me profusely, & asks that I hold while she speaks to her supervisor. Back to the American Express ads ...
(20 minutes at this point).
The CSR came back on the line, thanked me again, & said that her supervisor had taken a screenshot of the issue & escalated it. Job done.
So, yeah, I can totally understand the frustration experienced by the guy who discovered the vulnerability. But it certainly wasn't impossible for me to report the issue, & I'm in Australia.
And then quit.
I was operations/development at an ISP once, had three layers of acceptably competent support techs between the customer and I and a serious reputation as a fire breathing dragon if a non-issue was escalated to me - but -still- regularly lost half my day dealing with escalated "urgent problems" that were neither.
Actually, it is. They failed. Their system was open for years in secret, and at least hours after someone tried to point out the problem to them.
It's not the CS rep's fault. But it is their boss's fault, all the way up to the top.
Flip it around: what if Amex (or any other large company) made it easy to escalate everything to a technologically capable supervisor right away? Those supervisors would be deluged in uninformed, irrelevant, and just plain wrong security reports. Filtering out the signal from the noise in the security landscape is a monumental task in itself. As tech savvy hackers, we always think we're entitled to say "I know what I'm doing so escalate me over the idiots", but how does a company or CSR tell whether that's actually true?
The dozen or so hackers in this thread that expect that "security vulnerability" is some magic keyword that gets you talking to the head technical honcho of the security group have probably never answered phone calls for a big company. Phone support for somebody like AmEx is a huge burden of cost and manpower; the structure of the tree has been set firmly in place since the 1980's to take care of the most common 90% of issues using the least-paid person available. I'm sorry, if you're in the long tail you will just have to expect to wait extra. That goes double if you are not a cardmember (read: paying customer).
I am surprised that the above person in Australia got through at all, and that the CSR had latitude to try to spend time replicating the issue. In my opinion, for a credit card company, 20 minutes and a positive conclusion for a matter as rare as reporting a webapp vulnerability is a success.
Sure, none of you should be thrilled about the situation because as technically-oriented people with generous motives the system is not set up to serve you. But that's not a failure of the system, except maybe from your own individual perspective. Believe me, AmEx has done the cost-benefit analysis and they are saving boatloads of money by having those rare well-intentioned hackers listen to some hold music, because it is too expensive to sort you out from the thousands of loonies that got a phishing email. Security breaches are an acknowledged risk and they are already prepared to absorb their effects on multiple levels.
Why would finding a vulnerability give you the moral imperative to waste so much time reporting it? Especially if you're not a customer or otherwise affected by it? I know I wouldn't.
This is why companies like Google have a security issue submit form. Sure, some lower-wage people will be filtering it, but at least they will have had training to separate the important from the unimportant problems. And for a bank, security is even more paramount.
Which is why we shouldn't jump through their hoops. If we do we let them get away with it. If we didn't they'd be forced to pay more attention.
The well-meaning person in this thread did them and us a disservice by going so far out of his way.
He made this big, boldface disclaimer with twitter screenshots and all trying to claim "best effort is good enough" and "they won't listen", but all I saw was them listening and him refusing to speak.
Especially true if I want my anonymity preserved.
Jumping through hoops? Dude he got in contact with someone. Instead he got a "piss off" response.
It's the equivalent of telling a teller or their doorman about it.
a) Agree. b) That said, I think the fact that the person on the other end of the American Express Twitter account was accepting to talk to the guy over DM, and thereby actually /was/ willing to handle a security vulnerability over Twitter, is the most damning argument against this guy's rant; he insisted on using a "modern protocol", but apparently telling someone using Twitter, when they were perfectly happy to let him do so, was not modern enough: he insisted it be on his terms or no terms, e-mail or nothing.
I assume he was looking for a specific email address and perhaps a PGP key. Sure, that would be nice. But using the telephone is a pretty common method of transmitting important, time-sensitive information.
I certainly didn't back when I worked at $IMMENSE_FINANCIAL_INSTITUTIONs
If the only way to contact you is through clueless support people who have a script that doesn't include your option, yeah, that's a problem. But usually it's the customer who is screwed by this. This time, it bit the company instead.
That said, you can always ask if someone knows a security contact on BugTraq. Someone there will probably know.
And what do you think the doorman/receptionist is for?
Nor is it a good idea to make them jump through hoops. You know what method of disclosure doesn't have hoops? Posting an email to the Full Disclosure mailing list.
Look. I'm all for giving the company a chance but if you put up arbitrary hoops up for me to jump through... Why shouldn't I take the path of least resistance again?
In this case, the exploit is so simple and obvious that he could have fit it in a twitter DM (which is a method of communication that was specifically offered to him)
It's not like they're owed this. If not for this good guy wasting his time trying to contact them and publishing this they'd have probably been vulnerable for years.
The person in the thread who made the call could only have done so with the help of the initial disclosure. He couldn't have helped make Amex more secure until the security researcher showed him how.
Now Amex is more secure than yesterday.
i don't agree with the idea that you are "...being kind and generous by not exploiting...".
As far as im concerned that's being bloody gracious and generous.
it's like saying i'm being kind for not robbing someone.
This is financial infrastructure, there's a higher bar. I think the government should mandate that we give the hacker who discovers the hole 2% of the company's profits for the year... If not, nationalize them and rid us all of the useless frictional costs.
It wasn't so much a security problem so much as it was annoying to get this person's banking info all the time. (I assume I would have needed more than access to email to get into his account.)
In the end, after several phone calls and then tweeting at Wells Fargo, it was the Facebook reps that were able to get someone to call me and sort the problem out. The rep who called even verified that the first three of my social didn't match the account holder, so it wasn't identity theft.
Completely annoying but in the end, it just took finding that one person that understood and cared to help.
I decided to contact the bank. After filling in the form for contact on their web site giving all the details of the site, I did get an email back and eventually I got someone on the phone. This person (who said they were in charge of bank computer security) thanked me and said that they were going to try to deal with it (I had also contacted the school district whose computer was hosting the site to get it shut down).
I then told this person that there were real account details on the phisher site and would they like the list of people's account numbers so they could inform their customer/shut down their debit card etc. The bank officer replied, "No." As far as they were concerned the people who were that stupid got what they deserved.
I was flabbergasted, but couldn't do much to make the bank do something.
So, using the names and addresses of the people from the phishing site I managed to track a couple of them down (they were small businesses whose business addresses were available on the web) and phoned them up so they would be alerted. They took it pretty well considering that some weird British guy was calling them from France to tell them their US bank account details were at risk.
I called the customer service number for my Visa card and asked if this was a real Visa card "feature". After spending a couple of minutes asking around, nobody knew what the heck it was.
If Visa has a division that takes security seriously, they certainly need to work hard on the customer-facing aspects of it.
Visa and the bank make their money either way. Merchants have no choice but to "bend over and take it up the tailpipe".
Wouldn't you want to be informed if your bank was intentionally leaving your personal info and financial well-being at risk?
This is like putting a sign out the front of your house saying please do not enter though the back window, it's open.
After seeing this i kind of get the idea why this url is in the wild.
Without that, this is just run-of-the-mill incompetence. But the Disallow: /us/admin/ indicates that they knew that URL was wide open, and failed to act.
“@AmericanExpress Who can I contact regarding security vulnerabilities in your system? I'm not available through phone, physical mail or fax”
“@AmericanExpress Just to clarify: I have vulnerabilities. This should be "urgent", so no technical support jungle please :-)”
“@AmericanExpress I've been trying to get in touch with AMEX regarding security vulnerabilities in your system for a while. Who do I speak to?”
I think this is not ideally expressive language when you talk to a lay-person representative on Twitter. I believe a better result could be achieved with simpler and clearer language:
“@AmericanExpress I have discovered a serious security issue in your web system (money can be stolen). Please help me report it to someone responsible.”
Moral of the story: Don't let anyone have a recurring payment authorisation on your card.
Only figured that one when the site went offline, didn't come back, and I started bitching at their support.
So I have some sympathy for the CC company being lax with recurring charges on expired cards. Would be a nice service if they went ahead and called you up in such a situation.
However I can understand and sympathize, it's enraging how hard it is to get into contact with a person of any kind at certain companies (KLM/Air France, I'm looking at you). I understand they want to save money, but if you run a business, you have to be contactable in one way or another. And snail mail as the last option really doesn't cut it in the 21st century.
Really, why not just provide an email address? If you have someone listening and responding at @KLM in any case, why not also accept emails instead of the crippled communication possible through Twitter?
I decided to ignore that great offer and keep my account secure in traditional way. Apparently ignorance with regards to the internet sites is not what causes big companies to act in stupid ways. It's the whole mindset...
A criminal could in theory target Experian's mailing address, so perhaps it simply comes down to whether you believe they can secure their property.
This explains a lot. What I don't understand though, is why this guy, who doesn't understand basic regular expressions (the expression is also wrong), is working on the American Express website.
// don't ask me how exactly, but this gets the main domain froma hostname;
var hostArray = /([^.]+(.com))$/
Googling for "american express public relations" turns up a page with three NY-based vice presidents, with direct lines and email addresses listed: http://about.americanexpress.com/news/media_contacts.aspx
"Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, , $, @) and be different from your User ID."*
Now it's this:
"Your Password must be different from your User ID, must contain 8 to 20 characters, including one letter and number, may include the following characters: %,&, _, ?, #, =, -, cannot have any spaces and will not be case sensitive."
 view-source: http://twitter.github.com/bootstrap/examples/hero.html
I think this likely started in physical product sites and the lingo just stuck.
It is someone / something that is promoting your company or product, and is a 'hero of the product X' being promoted. Kind of like how, if we mention it to our friends, we become 'heroes of hacker news' ..
I've encountered this problem frequently when interacting with various organizations. The pervasive availability of bug-tracking systems and/or bug-reporting email addresses makes the absence of one quite conspicuous.
I understand the argument between full disclosure and responsible disclosure, but if the author could have DM'd it on Twitter. Or posted it on Twitter wholesale, since its now public anyway.
AMEX made it incredibly difficult for this guy to report the issue to anyone who had the slightest clue as to its severity. Banging his head against the wall until someone finally clued in would not have fixed that communication issue. Full disclosure just might.
Speak plainly people.
All you guys (not targeted specifically at you here) that say 'He tried it in a clear way': Call one of the lesser technical inclined people in your family/among your friends. Tell them you've just read about a security vulnerability and wonder if they could describe what that is to one (possibly less technical inclined) people in their family/among their friends.
That's essentially what you're looking at if you throw these words at a corporate marketing (with some links to support) drone that needs to fill in his/her supervisors to make anything special happen.
To me it looks like somebody left a "DEBUG = True" somewhere on the site and went to the beach :)
Why not? I've been clicking around various US laws and have yet to see any mention about a login screen or "Go away, private!" messages being required before it counts as unauthorized access:
IANAL, but I can definitely see both sides of this debate being highly defensible.
Agreed, that would be theft:
Theft by finding occurs when someone who chances upon an object which seems abandoned takes possession of the object but fails to take steps to establish whether the object is abandoned and not merely lost or unattended
I believe that the level of hacking/cracking required is irrelevant to most laws around the world; if you're not meant to be there, you're guilty of an offence.
I'm sure lawyers could argue intent all day long, but whether or not a logic screen appears is irrelevant.
But how would I know? If someone's private property is not marked as such in any way, would I be a trespasser if I wander into it? Let's say it's part of a field or a forest, not a building with doors ...
According to this page (the first result I found in Google - there may be more reliable information out there), it's not an easy question to answer:
Can trespass to land be committed without fault? The answer should be obvious but I have found it surprisingly difficult to track down. I am referring, not to cases of involuntary entry onto land (there are clear cases saying no liability if you get pushed or fall unconscious), but to the sort of case where you (without carelessness) cross over someone's boundary in the bush (maybe more likely in Australia than the UK!) without knowing it
Also, in areas where you are legally allowed to hunt the land owner has to put up markings that mean "no, I do not give you permission to hunt" if they do not want you to hunt.
more than likely, yes. see US vs. auernheimer for a recent example. the complaint is here:
The complaint indicates that AT&T's publicly accessible endpoint is a protected computer under Title 18, United States Code, Section 1030(e)(2). a protected computer is basically any computer used for interstate or foreign commerce in the US, or outside the US if it affects the commerce thereof.
the issue hinges on intent - if you know that you're exceeding authorized access to obtain something of value. 18 USC 1030 was created in 1986 by the Computer Fraud and Abuse Act and is often panned for being incredibly broad.
See this wikipedia page for more info:
Moreover, sometimes the AJAX used to submit your payments did not activate, and often, no feedback at all was given if a payment did go through.
This kind of vulnerability seems par for course for their tech team.
It's a pain contacting live representatives at any large corporation. When you're dealing with the financial industry, you should grit your teeth and find a way to do it anyway. If you have no choice, publish a warning about the exploit, but don't release all the details without a long warning period.
Responsible disclosure exists so that vendors have an incentive to respond to vulnerability reports in a timely manner. In fact, it is the responsible thing to publicly disclose vulnerabilities so that AmEx learns to implement a proper security reporting process.
Note to self: It's really hard to automate good customer service.
If you want to inflate your ego, post to full-disclosure; don't annoy people on Twitter and blog about it.
The story was posted an HOUR ago! They're a bank! Imagine the number of criminals swarming over their website by now. You'd think they'd react quicker. Or maybe the bosses there aren't aware of the implications of this disclosure.
Well, get rid of that and push for a change in your company's workflow. This kind of control shouldn't be deployable to the main servers at all.
Have separate, staging servers and run your tests and debugging interfaces on it, but as much as possible, don't deploy administrator interfaces to the servers that talk to the customer. 
 I'm undecided which kinds of heisenbugs would justify breaking that lemma.