American Express (AMEX) fixes critical security vulnerability

Charge card company American Express has fixed a security vulnerability on its web site that allowed SQL injection and, therefore, direct access to its server’s database. The company acted after The H‘s associates at heise Securityforwarded a tip-off from one of its readers.

Image via Wikipedia

Student Nils Kenneweg had discovered that the pages of the American Express web site did not adequately filter data passed to a search function, thereby allowing direct access to the database server. He sent a message about this SQL injection problem to the heise Security team, who were able to reproduce it; the information was then passed on to American Express.

The company reacted quickly and fixed the vulnerability within a few days. It stated that the vulnerability had not been used and no customer data had been compromised. Some doubt exists about this statement, however, since SQL injection frequently allows access to all of an affected system’s data, and tables with names like “Accounts” often show up in SQL statements.

Read More: http://tinyurl.com/7vsjoup

Related articles

• You thought SQL injection was bad? Schema injection coming to a NoSQL site near you (mysqltalk.wordpress.com)
• Lilupophilupop: coming to a site near you? (blogs.rsa.com)
• 01/12/12: Experian, American Express, Paypal, Cdiscount, Verizon (sociallypay.wordpress.com)
• Use American Express Membership Reward Points to Get Groupon Gift Card (fashionhippo.com)
• 01/13/12: Billeo, Ingenico, iMobile3, Experian, American Express (sociallypay.wordpress.com)

January 13, 2012 | Categories: Enterprise, General Security, Hacking, Malware, Network Management, Network Security, Security | Tags: allowing direct access, American Express, american express membership reward, american express membership reward points, cdiscount, Database, FAQs Help and Tutorials, filter data, Microsoft SQL Server, search, Security, security vulnerability, SQL, SQL injection, Vulnerability | Leave a comment