Phishing vulnerability reported at American Express site
The most important thing first:
The researcher Andrea Giuliani, 16 years old geek from Italy, has contacted credit card giant about the flaw.
The problem is that intl_ads_redirect.jsp enables redirecting outside of American Express domain too (!), i.e. .jsp?location=http://www.phishingsite.com
Link to the Andrea’s Italian language blog entry:
More information and sample links here:
Yeah, Italian entry again. But www.google.com/translate_t will help You.
No need to say that the second example uses location=%68%74%74%70%3A%2F%2F…
I have confirmed with phone and e-mail on Monday that AMEX is aware.