Saturday, December 20, 2008

Cardmember since I stole your cookies

I expect American Express to struggle in this economy, with card members cutting back on purchases, which limits the amount Amex can collect from merchants for the privilege of accepting the various American Express cards.

One of the things that I expect them to get right, however, is web security, given it's an exploit vector, and successful compromise could allow all sorts of bad things to happen to innocent site users, like me.

Cross-site scripting, or XSS, is one of the more versatile and useful tools in the black bag of tricks. It's a too-common vulnerability to leverage in web applications, and it allows the bad people to perform code injections using HTML code or client side scripting, which permits them to either bypass existing access controls or to exploit your browser, especially if you're using an inherently poor security browser like Microsoft's Internet Explorer, or if you're not very timely in applying security patches or updating your antivirus signatures.

In some cases, the compromised browser can redirect you to an attacker's site that's set up to look like a real site, and in other cases, the attacker can take full control of your computer, capture your keystrokes (like user IDs and passwords), or turn your machine into a spam-spewing bot that responds to orders from a centralized command & control server owned by the Russian mob or other nefarious characters.


So when Amex was notified (several times) that they had a well-known XSS vulnerability on their site, you would think they would bust their ass to not only close the hole but see what other doors and windows they might have left open.
You would be wrong, of course.

The Register
reported that it took a full two weeks of being pestered by a security researcher who found the XSS flaw on their site, and that Amex had reportedly failed to respond to emails and other communications from the researcher as he tried to be a white-hat and use his powers to battle the forces of evil. Eventually, American Express managed to close the XSS vulnerability that was pointed out to them. Whew.


Except they didn't fix the problem. The fixed an instance of the problem. Two separate sources have reported that the XSS flaw still exists, allowing the crooks to capture americanexpress.com user authentication cookies. So they put a lock on one door, but failed to check the rest of their application to see if this flaw (or others) might exist elsewhere.


Assuming that Amex has a robust info security program, it's difficult to understand why these flaws weren't discovered during normal testing during the application development cycle, or as a result of periodic internal tests by the security or ethical hacking teams.

Certainly, Amex could benefit from occasional reviews of their sites by outside vendors who can do penetration testing and vulnerability assessment scanning as a check & balance to ensure that things are as locked down as possible.
XSS flaws aren't that troublesome to fix, either.

As a customer, I would expect American Express to do more than issue a press release confirming that they take security seriously. They should perform a top-down review of their app dev and vulnerability management programs and do some root cause analysis of their security incident response process to determine how it could take so long for a reported vulnerability to be corrected.


A good information security program involves constantly probing your own networks and evaluating your controls environment to find the gaps before anyone else does. With so many automated exploit frameworks out there, it doesn't take someone with a doctorate in computer science to compromise your network - attacks are point and click now, and if you don't believe me, go spend some time reading about the Metasploit framework.



No comments:

Post a Comment

Please tell me what you think.