More American Express sites vulnerable to XSS and open redirects
Written by DP
Tuesday, 5 October 2010
Three more critical vulnerabilties have been reported for AmericanExpress.com... The other XSS
is still pending a fix.
" from Security-Sh3ll
has reported a cross-site scripting hole affecting the supposedly secure American Express online rewards mall
, a shopping portal that offers special offers and discounts to PASS prepaid card members at hundreds of online merchants, as well as in stores.
"Ensuring proper validation of all inputs in Web applications, in order to prevent cross-site scripting and SQL injection vulnerabilities, is actually a requirement of the Payment Card Industry Data Security Standard (PCI-DSS)."
, Lucian Constantine, SoftPedia's security columnist, writes
To avoid further embarrassment, American Express must really review their data security operating policy and update it correctly in order to achieve compliance with their following statements
, since they are founding members of the PCI Security Standards Council
"Our long-standing commitment to Data Security:
Cardmembers have relied on American Express for the highest level of service and protection. In continuously addressing security issues, we have developed this Data Security Operating Policy and are working with merchants and service providers to help them establish appropriate security programs."
"Compromised data negatively impacts consumers, merchants, and card issuers. Even one incident can severely damage a company's reputation and impair its ability to effectively conduct business. Addressing this threat by implementing the American Express Data Security Operating Policy can help improve customer trust, and has the potential to increase profitability as well as enhance a company's reputation. Your customers can feel more secure and so can you."