Cross-site scripting hole in American Express site using EV SSL

Monday, 4 October 2010

Security researcher "SeeMe" who discovered the persistent Amazon XSS vulnerability, has also reported a cross-site scripting bug on americanexpress.com that would allow fraudsters to carry out phishing attacks, targeted to American Express credit/debit card owners.

https://americanexpress.com/home/Search/RTN_Proxy.cgi?url=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E [Mirror]                                       

The affected page uses a Verisign Extended Validation SSL certificate, which assures the visitors that the content and the domain name belong to American Express. So most probably, potential phishing attacks leveraging the XSS on the SSL site could have a high success rate.

American Express sites have been XSSed in the past.

We hope this one gets fixed very quickly...

Screenshots: