Information Security all in one place!

American Express (AMEX) fixes critical security vulnerability

Charge card company American Express has fixed a security vulnerability on its web site that allowed SQL injection and, therefore, direct access to its server’s database. The company acted after The H‘s associates at heise SecurityGerman language linkforwarded a tip-off from one of its readers.

English: no original description

Image via Wikipedia

Student Nils Kenneweg had discovered that the pages of the American Express web site did not adequately filter data passed to a search function, thereby allowing direct access to the database server. He sent a message about this SQL injection problem to the heise Security team, who were able to reproduce it; the information was then passed on to American Express.

The company reacted quickly and fixed the vulnerability within a few days. It stated that the vulnerability had not been used and no customer data had been compromised. Some doubt exists about this statement, however, since SQL injection frequently allows access to all of an affected system’s data, and tables with names like “Accounts” often show up in SQL statements.

Read More:


Let's hear what you have to say.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s