Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care

from the ouch dept

One of the general tenets of white hat security hackers is that when they find a vulnerability they alert the company first and allow them to fix things before they reveal the details. But what if it's impossible to reach anyone at the company? That Anonymous Coward points us to a recent case of someone discovering a serious zero-day vulnerability at American Express... and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer:
To my great surprise American Express doesn’t allow anybody to contact them. Instead, you’re sent through their ten-year-old copyright noticed website’s first line support jungle to be attacked with questions ensuring that you’re a paying customer. If you’re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.

The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.
As TAC mentioned in his submission, perhaps black hat hackers are merely white hats who got tired of the muzak on hold...
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: reporting, security, security hole, vulnerabilities
Companies: american express


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Oct 2011 @ 1:50pm

    Why tell a company they have a vulnerability? If they won't give you the time of day you have another, much more supportive group of people that know what your time is worth...

    link to this | view in chronology ]

  • icon
    PrometheeFeu (profile), 11 Oct 2011 @ 1:59pm

    I remember finding a vulnerability in a couple of smallish websites. I dutifully tried to bring it to their attention. I never heard back from any of them and they never fixed it. I have come to the conclusion that security is just not something that most developers think or know anything about. As for the business people... well, let's not go there... They won't care until the PR guy shows up with newspaper articles of your database being broken into.

    link to this | view in chronology ]

    • icon
      :Lobo Santo (profile), 11 Oct 2011 @ 2:14pm

      Re: Then again

      Mebbe it only seems that way 'cuz you don't hear about the guys who really know their shiznit on security stuff...

      link to this | view in chronology ]

      • identicon
        Anonymous American, 11 Oct 2011 @ 3:04pm

        Re: Re: Then again

        Or more likely, the cost of a breach is much less than the cost of fix a potential breach.

        Until this math is changed through higher and more painful penalties, it's going to stay that way.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 4:15pm

      Re:

      honestly as a developer, not a web developer mind you, i find software to always be in some stage of advanced beta. We are always on a deadline and we never pick what we fix first. bug reports come in go into a database and then 5 business people meet on Wednesday to figure out which ones get fixed. If it isn't gonna bring immediate sales no one cares.

      Then you say why don't you find your own problems, most problems and bugs really require a second set of eyes, and my company definitely doesn't believe in agile practices. So really u just wait for someone to whine. And then you wait for the business people to decide how you spend your time.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2011 @ 5:13pm

        Re: Re:

        Agile just makes it worse since it makes it easier for business to micro manage features. Before that I would just quite the features they wanted and add the time it takes to fix the security issue as well. They have no clue how code works so then later on if they do decide to fix the security bug, just use that time to fix some other bug.

        I do this kind of thing all the time. You just use their own ignorance against them and in the end actually help them.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 5:46pm

      Re:

      If you used Google to find the vulnerable websites you probably wouldn't be able to contact them all.

      http://searchengineland.com/using-google-code-search-to-find-vulnerable-sites-10146
      http:// cybersaviours.wordpress.com/2011/02/20/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection/

      I once typed a version of wordpress to see how many vulnerable websites where out there and there was a lot including a lot of political websites.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 7:21pm

      Re: Under-Resourcing Of Customer Support

      Fixing bugs and security holes is a form of customer support, which never gets any love because it is not perceived as having an influence on sales. That is wrong, of course, but the corporate psychopaths do not care about other people in general, so customer support gets starved of money, routinely.

      The whole existing credit card system is broken anyway. Think about it, anybody who knows your credit card number can help themselves to your bank account. Is that a disaster looking for somewhere to happen or what? The banks and the credit card companies know the system is broken, but they do not care, because they have largely diverted the losses to other people. When there is a fraudulent credit card transaction, first the loss goes to the cardholder. If the cardholder kicks up a big enough stink (not easy), then the loss goes to the merchant. The poor old merchants are just stuck, in most cases.

      The stuff about complaints only being accepted from cardholders, is just a ruse to get the complainant to go away. They have a mountain of complaints already, adding another one is just a waste of time. Only a widespread consumer boycott of the broken credit card system would get the banks to fix it. There is no chance of the sheeple doing that, so the banks run the system, ignore the complaints and enjoy the profits.

      link to this | view in chronology ]

      • icon
        nasch (profile), 11 Oct 2011 @ 7:37pm

        Re: Re: Under-Resourcing Of Customer Support

        I've found it extremely easy to dispute credit card charges. You're right though, it's broken. Two factor authentication would be nice, but probably too expensive and inconvenient to put into place.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2011 @ 8:01pm

        Re: Re: Under-Resourcing Of Customer Support

        If support@example.com is not right there, clear as day, on their website, then they have volunteered to be notified of their security vulnerabilities by having them published for all to see. Publish anonymously on any willing white-hat security site, then get on with your life.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Oct 2011 @ 6:10am

        Re: Re: Under-Resourcing Of Customer Support

        I was pretty much with you until you said "sheeple." Really? Really?

        Anyway, you can't boycott credit cards unless you don't care about building up credit. If you ever want to own a nice house, car, etc then you can't really boycott that stuff.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Oct 2011 @ 7:36am

          Re: Re: Re: Under-Resourcing Of Customer Support

          ???

          Yes you can, just never use credit.
          I never did for personal affairs, I always, always saved the money first and buy the things later.

          Do you realize how much you pay in hidden fee's?

          If you ever want to own a really nice house don't ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.

          link to this | view in chronology ]

          • icon
            nasch (profile), 12 Oct 2011 @ 9:12am

            Re: Re: Re: Re: Under-Resourcing Of Customer Support

            If you ever want to own a really nice house don't ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.

            Yeah, if you save $1000 a month, it will only take 25 years to get a $300,000 house. No problem, just save up!

            link to this | view in chronology ]

            • identicon
              S, 12 Oct 2011 @ 1:23pm

              Re: Re: Re: Re: Re: Under-Resourcing Of Customer Support

              Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!

              Who cares about frugality; you should have WHAT YOU WANT WHEN YOU WANT IT, and to hell with the future!

              link to this | view in chronology ]

              • icon
                nasch (profile), 12 Oct 2011 @ 9:02pm

                Re: Re: Re: Re: Re: Re: Under-Resourcing Of Customer Support

                Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!

                You seem to be implying that 1) the term of a mortgage will be longer than your life and 2) if your mortgage isn't completely paid off when you die, then your heirs will be underwater on it. Neither assertion is correct.

                Besides, if you don't want to borrow money to buy a house then don't, I truly don't care. But IMO it's silly to suggest saving up money to buy "a nice house". Either take out a mortgage, or just rent.

                link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 11 Oct 2011 @ 2:17pm

    You tell the company so that they can actually fix it. But this is in the fantasy land where corporations are actually held accountable for craptastic failures to not use the most basic tools to protect the customer information. (We call them SONY)

    And sadly your right PrometheeFeu, until it is in the media no one cares, and by then as a customer you've already been screwed over for months/years.

    This is someone tinkering around on his own dime, finding something really wrong and then trying to do the right thing.
    We have all of these great stories about how hackers are evil blah blah blah blah blah.... The flipside of that coin is, until it is a bigger financial detriment to the company to pay out court awards, spend nothing to secure your systems. But the spin is always the evil hackers, never the corps who got an extra bonus for gutting their network security department.

    Hackers tinker with things, they like to understand how they work. Hackers are not an evil criminal force covering the planet trying to rob everyone.

    And muzak is the devil.

    Given the high profile Sony, BART, CIA, etc etc etc "hacks" recently you'd think the corps would setup a phone number or something for white hats to get the people they need to talk to to fix.... er wait... they have no IT security people... nevermind...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 7:19pm

      I.T. Courts?

      If we can introduce a system which, if an informed I.T. professional sent warning about a security hole and a financial group choose to neglect, he could file a complaint and get that organization find people to fix it, or will get into trouble.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 2:17pm

    Is it just me or did others see the "DM me" and the phone number provided? Taking the discussion to DM absolutely seems like the appropriate action here. Where's the dirt?

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 11 Oct 2011 @ 2:22pm

      Re:

      Because someone hired to manage their twitter presence seems well versed in being able to understand vulnerabilities in their system. And she could have DM'd him... but do you really want Courtney deciding if a 0day is worth bumping up the line to her boss in PR?

      And the phone number... is customer service... once they figured out he was not a customer... yeah not so interested any more.

      link to this | view in chronology ]

    • icon
      Planespotter (profile), 11 Oct 2011 @ 2:22pm

      Re:

      The dirt is that the twitter account is served by 1st line support staff at the very best... and he is trying to find a way to get straight thru the jungle of expert systems and tiered support lines to talk to someone that will actually understand what he has to say.

      link to this | view in chronology ]

    • icon
      David Liu (profile), 11 Oct 2011 @ 2:24pm

      Re:

      The phone number looks like it just points to a customer service number.

      "DM me" is just another way of saying, "message me, a low customer service tech, about your intricate 0day exploit, and I'll pass it on to my manager, who will lose it in the shuffle."

      For a vulnerability relating to a financial institution like American Express itself, I would think that they should take this very seriously.

      link to this | view in chronology ]

      • icon
        :Lobo Santo (profile), 11 Oct 2011 @ 2:29pm

        Re: Re: Devils Cartographer

        On the other hand:

        Should they lavish time/money on every crackpot (no offense meant) who calls and says "I can beat the system!"?

        link to this | view in chronology ]

        • icon
          That Anonymous Coward (profile), 11 Oct 2011 @ 2:38pm

          Re: Re: Re: Devils Cartographer

          He had verifiable proof that was quickly and easily verifiable.
          And if these corps were smart they would have contact info already provided to the community he is a part of.
          Your talking about white hat hackers, who aren't likely to publicize a "white hat hacker" reporting line/email etc. They understand very well the trust they would be getting there, and would ensure it remaining viable.

          Not all "security professionals" are exactly suit and tie people, but if it came down to making sure my system was secure I don't care if the expert had dreads and a TPB t-shirt on. Knowledge and skill should trump appearances. Ask Aaron Barr.

          link to this | view in chronology ]

          • icon
            bjupton (profile), 11 Oct 2011 @ 2:46pm

            Re: Re: Re: Re: Devils Cartographer

            Not that this is at all your point...

            I'm amused at the thought of these big corps, especially the financials, not caring about appearances. :)

            link to this | view in chronology ]

    • identicon
      Dwayne, 11 Oct 2011 @ 5:37pm

      Re:

      You need to be friends with a user to DM them. I doubt they're friends on Twitter.

      link to this | view in chronology ]

  • icon
    BearGriz72 (profile), 11 Oct 2011 @ 2:21pm

    Ha!

    "perhaps black hat hackers are merely white hats who got tired of the muzak on hold..."

    My hat must be getting grayer by the day...
    Oh wait that's just my hair.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 2:27pm

    Is this about not being able to contact someone, or just not getting the recognition from someone who can appreciate what was found?

    Kinda smells like the second...

    Otherwise, if you can't easily get to someone who can understand the problem, just look up a bunch of executive e-mail addresses, as well as generics, and blast the details to all of them. Someone will pay attention.

    Unless it was more about the recognition.

    ;)

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 11 Oct 2011 @ 2:45pm

      Re:

      Not so much appreciate as understands.
      Do you think physicists enjoy being at parties and having to get out the coloring book version of physics 101 so that Bob from accounting can understand the conversation?

      If he wanted recognition and was that obsessed with it he would have hacked the site and done something to leave a mark.

      High end geeks tend to have little patience for people who demand to know how the technology works. They prefer talking to peers who know all of the basic concepts so your not explaining how a communication protocol works, they have all the basics down already.

      These are the people who created the carrier pigeon protocol, and it only had packet loss in hunt season.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2011 @ 5:50pm

        Re: Re:

        I think that actually is a human weakness, we don't like to find easy ways to explain things to others and that is a problem to everyone.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Oct 2011 @ 5:28am

          Re: Re: Re:

          Sometimes there aren't easy ways to explain things, hence the amount of time it takes someone to become an expert. Difficult concepts can't always be simplified. Moreover, simplifying it down turns into the equivalent of telling someone what you do in terms a 5-year old understands. If you do a good job, they'll think your job is simple and won't give it the appreciation it deserves or you'll fail at the task and just waste your time.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 2:29pm

    swerige means sweden

    link to this | view in chronology ]

  • icon
    matics (profile), 11 Oct 2011 @ 2:39pm

    Imagine the police had that sort of service?

    "Hello, 911? I'd like to report that I saw someone trying to break into a local bank through a wall."

    "OK sir, and are you a member of that bank?"

    "Well... No, but-"

    "I'm sorry, if you aren't a member, you need to call 912, our other support line. Thanks and good luck!"

    "..."

    link to this | view in chronology ]

  • icon
    Dan_Stephans (profile), 11 Oct 2011 @ 2:40pm

    Once he exhausted the whole "use twitter to try to find the best person to talk to" this became news?

    I see nowhere in TFA where he tried any other reasonable avenues of communication. What I do see is that he decided that those avenues of communication were not appropriate (his decision) and that Twitter was, for some reason.

    Sorry, non-story.

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 11 Oct 2011 @ 2:56pm

      Re:

      because calling an 800 number from .se is cheap and easy to get routed to someone in a call center halfway around the world who will be the chosen one who will understand what the issue was.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2011 @ 3:07pm

        Re: Re:

        I am sure two non-native english speakers speaking english to each other is a really fun conversation to be a part of too.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Oct 2011 @ 3:12pm

          Re: Re: Re:

          especially with something as non-technical as a 0day web exploit

          link to this | view in chronology ]

      • icon
        Dan_Stephans (profile), 11 Oct 2011 @ 3:14pm

        Re: Re:

        And he expected better results with twitter? I'm sorry, if you're intelligent enough to track down a 0day you can do better than this guy in attempting to find a fruitful avenue of communication.

        link to this | view in chronology ]

        • identicon
          ike, 11 Oct 2011 @ 4:47pm

          Re: Re: Re:

          It's the second time you said that, but there is no basis for it. He balked at the suggestion of using twitter.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 2:41pm

    When did the telephone stop being a modern protocol? Even if you don't have a phone there are plenty of free ways to place phone calls through a computer connected to the internet.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 3:07pm

      Re:

      because they wouldn't talk to him anymore after he told them he wasn't a card holder, its in the first paragraph

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Oct 2011 @ 6:37am

        Re: Re:

        Except he didn't call, he went through the website and twittered and in fact on twitter he said that he was not available by phone.

        I'm not saying this makes it any better, I'm just wondering why he couldn't call.

        link to this | view in chronology ]

        • icon
          nasch (profile), 13 Oct 2011 @ 10:53am

          Re: Re: Re:

          I'm not saying this makes it any better, I'm just wondering why he couldn't call.

          Maybe he knew that customer support wouldn't have the first clue what to do with his information.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Oct 2011 @ 10:40am

      Re:

      He would be wasting his time. Customer Support for many companies is notoriously shoddy. Even then, corporations have no legal or financial responsibility to fix any vulnerabilities.

      link to this | view in chronology ]

  • identicon
    Jeff, 11 Oct 2011 @ 2:43pm

    Since they won't listen...

    You might as well just do nothing further... or simply release the details of the exploit, and let American Express resolve it on there own after the damage is done.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 2:44pm

    Did you try abuse? Security?

    Why didn't you email their abuse address? security@ is also commonly monitored by CERT teams.

    http://www.co.sisqjustice.ca.us/contact.htm

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 11 Oct 2011 @ 2:59pm

      Re: Did you try abuse? Security?

      and this is common knowledge to people outside the US, just stuff an email to a couple addresses that may or maynot be monitored and hope that the company who drew a freaking bullseye around the hole in the system will fix it?

      I was reading his twitter feed... very smart man.
      They tried to hide the tool by putting the address to it in robots.txt and telling them not to look there.
      Security through obscurity...

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 2:53pm

    Why are you testing their security?

    Since you aren't a customer? So you can sell it to them? Slag them off? You seem either clueless or a bit of a dick.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 3:10pm

      Re: Why are you testing their security?

      yeah what a dick he took this hack and stole a bunch of peoples info then sold the 0day to a hacker ring for a cool half a million and is now on a beach fuc....oh wait no he attempted to tell the company, got sick of trying and publicly released it so they would hear about it, what a dick.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 3:12pm

      Re: Why are you testing their security?

      Are you an idiot? Serious question.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2011 @ 3:36pm

        Re: Re: Why are you testing their security?

        No you are the idiot, fool.

        link to this | view in chronology ]

    • icon
      hmm (profile), 11 Oct 2011 @ 4:47pm

      Re: Why are you testing their security?

      because he wanted to HELP other human beings to NOT get ripped off?

      In your world I guess doing something for altruistic (thats a big new word..look it up) reasons makes someone a dick?

      interesting.

      link to this | view in chronology ]

  • identicon
    Simon, 11 Oct 2011 @ 3:28pm

    It shouldn't be necessary, but I've resorted to this kind of technique to find someone to disclose to before now : http://lmgtfy.com/?q=inurl%3Alinkedin+american+express+security

    link to this | view in chronology ]

  • identicon
    Jim_G, 11 Oct 2011 @ 3:30pm

    Please notice that Mike has added a tremendous amount of information in how this story is presented and it is affecting everyone’s opinions of the twitter dialog. Mike is the one who called this "a serious zero-day vulnerability” and a “massive security hole.” It might be that seious, but Niklas just called it a “security vulnerability” and then seemed incapable of summarizing the threat. I don’t know the details of the exploit, but he could have said “I have found a way to steal AmEx card numbers from another web site such as Amazon, and can demonstrate how this works.” I think that would have gotten more attention.

    link to this | view in chronology ]

    • icon
      blaktron (profile), 11 Oct 2011 @ 3:45pm

      Re:

      If you read about what exactly the exploit is from the guy himself, you'll see that theres no way to impart the seriousness of what he found to the average call centre monkey. He tried to follow the white hat security model to the fullest, but that model is a 2-way street, and Amex didn't do its part.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 4:16pm

    Executive Offices

    American Express Company
    World Financial Center
    New York, NY 10285
    212.640.2000

    not that hard to find the corporate contact information.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2011 @ 4:27pm

      Re:

      No kidding, the person reporting the problem acted like an idiot and then blamed Amex.

      link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 11 Oct 2011 @ 4:48pm

      Re:

      *boggle*
      You obviously have no understanding of how and what a 0day can do.
      In the time it would have taken for a letter to make it across the atlantic, the amount of damage that could have been done is HUGE.
      And you expect someone on their own dime to shore up their services, and bear all of the burdens because they couldn't be bothered to secure the system in the first place.

      You... out of the gene pool...

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2011 @ 9:31pm

        Re: Re:

        Apparently you missed the phone number in that post. If it is so important then why not pay for the long distance call?

        link to this | view in chronology ]

        • icon
          That Anonymous Coward (profile), 12 Oct 2011 @ 6:04am

          Re: Re: Re:

          The phone number for card member services, where once the call center person asks for his card number and he doesn't have one they stop caring about anything he has to say.

          link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 11 Oct 2011 @ 4:17pm

    All in all I am sure Mike is just happy it submitted something not copyright related for once. :)

    Speaking of which.... *runs off to submit*

    link to this | view in chronology ]

  • identicon
    Jayce, 11 Oct 2011 @ 4:36pm

    He's probably better off

    They'd just try to prosecute him for finding a hole, anyway.

    link to this | view in chronology ]

  • icon
    hmm (profile), 11 Oct 2011 @ 4:43pm

    I KNOW WHY!

    If you don't tell them about the vulnerability they can claim later they have no knowledge of it, no-one's to blame and no one in management gets fired......

    If they KNOW about the vulnerability they have a duty to fix it or face class action lawsuits............

    link to this | view in chronology ]

  • icon
    hmm (profile), 11 Oct 2011 @ 4:49pm

    the answer

    The following post on any website searchable by google would have got their attention:

    WOW! I just found a way to take money directly out of the CEO of AMEX's *personal* bank accounts.......

    (5..4..3..2..1.)....cue call from Amex Security......

    link to this | view in chronology ]

  • icon
    Chris Maresca (profile), 11 Oct 2011 @ 6:05pm

    whois americanexpress.com = amexdns@aexp.com

    security "researcher" == fail

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2011 @ 7:30pm

    I'm curious why he refused to use the phone number he was given to contact them.

    link to this | view in chronology ]

    • icon
      Benny L (profile), 12 Oct 2011 @ 5:04am

      Re: why he didn't use the phone number supplied

      If I'm not mistaken, an 800 number is a toll free number in the United States. Well, have you ever tried calling one from abroad? That's one of the problems here. This guy is (like me) situated in Sweden, which as some of you may know is OUTSIDE the US borders.

      To put it simply: He CAN'T call that number no matter what. It just doesn't work.

      Which brings me to the next reason he's probably reluctant to phone, namely that Sweden is six (or seven, depeding on whether summer time is in effect) hours east of New York, meaning that for him to actually find someone to answer the phone in the other end he's going to have to call late in the afternoon or evening, local time.

      As to the other options, snail mail or fax... well, I shouldn't have to comment on that, should I?

      That said, he could probably have been a bit more creative in trying to find someone not shielded by first line support to talk to, had he tried for example googling for someone on linked in associated with Amex security as someone suggested here.

      But the whole point is, why the h*ll should he have to??

      He found/heard of/(re)searched/stumbled upon/whatever a serious security problem and as a good netizen he wanted to inform the party involved, and was unable to find someone to talk to, in part because he wasn't a customer.

      That's not good security policy no matter how you look at it.

      link to this | view in chronology ]

      • icon
        Mike Raffety (profile), 12 Oct 2011 @ 3:42pm

        Re: Re: why he didn't use the phone number supplied

        For some years now, U.S. 800/888/877/866 numbers CAN be dialed from other countries, though they're not toll-free, usual calling rates apply.

        link to this | view in chronology ]

  • identicon
    Parker, 11 Oct 2011 @ 9:55pm

    This might have been said already, but my solution would be to just leak the vulnerability (anonymously of course). Let them learn security the hard way. (but then I'm an asshole)

    link to this | view in chronology ]

  • identicon
    RIch Kulawiec, 12 Oct 2011 @ 4:36am

    Sadly, this is extremely common

    RFC 2142 specifies role account email addresses (e.g., "postmaster") which all domains must/should support in order to facilitate communication. Any operation which does not support at least the mandatory addresses is clearly incompetently managed -- and quite foolish, as it has deliberately cut itself off from free expert assistance.

    Yet this has become the norm. Many clueless, lazy, cheap and ignorant admins will claim that this is necessary because of the levels of spam/abuse that arrives in these mailboxes. Of course, everyone with sufficient experience knows that's merely a flimsy excuse for their inability to handle a rudimentary task. Other equally-clueless admins will provide an idiotic web form that demands irrelevant information and forces correspondents into using a very limited communication method (i.e., one which does not support lengthy messages and/or attachments).

    The ignorant newbies who do all this are of course the first ones to whine and cry foul when a researchers publicly disclose a problem.

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 12 Oct 2011 @ 6:07am

      Re: Sadly, this is extremely common

      The protection for leaving the debug console up and open was to exclude it specifically by name from robots.txt

      Do you think they have someone competent?

      link to this | view in chronology ]

    • icon
      greg.fenton (profile), 12 Oct 2011 @ 7:09am

      Re: Sadly, this is extremely common

      A sadly good number of companies online today have never bothered to understand the RFCs. Today, you don't need to read and RFC to get up and on the net.

      Many admins today have inherited a system set up by us long beards (or suspender wearers....or both). Though many of us have established good practices, there's no guaranteeing that they are being followed by those who are now running the front lines.

      link to this | view in chronology ]

  • identicon
    ejes, 12 Oct 2011 @ 6:27am

    there's actually a due process that you're suppose to follow with regard to submitting a new undiscovered vulnerability. and it's not to use twitter.

    sounds to me like this guy is a joke.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Oct 2011 @ 6:44am

      Re:

      There's probably a protocol to follow if you get a paycheck for it. This guy did it independently. The man has no obligations to AmEx. Unless he exploited the vuln he did nothing morally wrong.

      link to this | view in chronology ]

    • icon
      greg.fenton (profile), 12 Oct 2011 @ 7:14am

      Re:

      Care to highlight where one finds this due process, in particular with respect to a general member of the public submitting to American Express?

      And the article makes it clear that there is an element of expediency.

      Oh, and this is a general member of the public using their own time and resources to try to notify a massive company to save that company pain and turmoil. So this due process had better be (a) relatively expedient and (b) not unreasonably burdensome.

      link to this | view in chronology ]

    • icon
      nasch (profile), 12 Oct 2011 @ 9:07am

      Re:

      there's actually a due process that you're suppose to follow with regard to submitting a new undiscovered vulnerability.

      What is that process, then? Maybe you can be helpful and let this guy know about it.

      link to this | view in chronology ]

  • icon
    Benny L (profile), 12 Oct 2011 @ 6:35am

    And it sounds to me like he's trying very hard to follow protocol here but can't even get off the starting blocks. I don't see any revelation of vulnerability details on the twitter feed in question, do you? In fact, isn't the joke really that there are people who doesn't even bother to read what they're commenting on?

    link to this | view in chronology ]

  • identicon
    dave, 12 Oct 2011 @ 9:33am

    can't find out how to contact them?

    link to this | view in chronology ]

  • identicon
    Steve Tadrellis, 16 Dec 2011 @ 8:46pm

    It's really beneficial to use a mediator during these circumstances.

    link to this | view in chronology ]

  • That's a bit worry

    Amex is a perfect example of a company whose only goal is money over everything. I hope the security issues have been addressed, as I was considering becoming a Amex member.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.