Phishing vulnerability reported at American Express site

The most important thing first:

The researcher Andrea Giuliani, 16 years old geek from Italy, has contacted credit card giant about the flaw.

The problem is that intl_ads_redirect.jsp enables redirecting outside of American Express domain too (!), i.e. .jsp?location=http://www.phishingsite.com

Link to the Andrea’s Italian language blog entry:

andreagiuliani.com/2006/12/04/vulnerabilita-su-sito-american-express-possibile-attacco-phishing/

More information and sample links here:

vincenzoampolo.nanofreesoft.org/?p=46

Yeah, Italian entry again. But www.google.com/translate_t will help You.

No need to say that the second example uses location=%68%74%74%70%3A%2F%2F…

I have confirmed with phone and e-mail on Monday that AMEX is aware.

Share