In association with heise online

13 January 2012, 09:04

American Express fixes critical security vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

American Express logo

Charge card company American Express has fixed a security vulnerability on its web site that allowed SQL injection and, therefore, direct access to its server's database. The company acted after The H's associates at heise SecurityGerman language link forwarded a tip-off from one of its readers.

Student Nils Kenneweg had discovered that the pages of the American Express web site did not adequately filter data passed to a search function, thereby allowing direct access to the database server. He sent a message about this SQL injection problem to the heise Security team, who were able to reproduce it; the information was then passed on to American Express.

The company reacted quickly and fixed the vulnerability within a few days. It stated that the vulnerability had not been used and no customer data had been compromised. Some doubt exists about this statement, however, since SQL injection frequently allows access to all of an affected system's data, and tables with names like "Accounts" often show up in SQL statements.

Zoom Cleverly designed queries could have been used to communicate directly with the server's SQL database

Of particular concern is that the vulnerability was found not in some hidden corner but in the search function – the first place someone would test for such problems. A web site that is regularly tested and systematically secured should not have this kind of vulnerability in such an exposed location.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit