Hacker News new | comments | show | ask | jobs | submit login

They knew this was open. They even took it out of their robots.txt :)

https://www.americanexpress.com/robots.txt

User-agent: * Disallow: /us/admin/ Disallow: /us/heroes/ Allow:




I apologise in advance for a lack luster comment, but seeing incompetence on so many levels like this on a monthly basis from financial institutions makes me want to be sick.

This is like putting a sign out the front of your house saying please do not enter though the back window, it's open.


I look at this as a good thing. I know that if I am ever injured in such a way as to receive severe brain damage, I'll still be able to get a high-paying programming job.


Then there is more behind as we think. Actually we can be pretty sure someone on the web team will have pointed out that this is not good and insecure.

After seeing this i kind of get the idea why this url is in the wild.


Crawling robots.txt files is a great way to find fun stuff in general.


When you go through the regular PCI compliance scan they actually warn you about this...


here is another robots.txt file: https://home.americanexpress.com/robots.txt


Yikes, I wonder if that's how it was discovered in the first place. I'm no pen tester, but that's probably the first thing I would check on a target website.


If anyone happens to lose money through this vulnerability I think that provides enough evidence to make AMEX knowingly culpable.

Without that, this is just run-of-the-mill incompetence. But the Disallow: /us/admin/ indicates that they knew that URL was wide open, and failed to act.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: