Phishing vulnerability reported at American Express site

The most important thing first:

The researcher Andrea Giuliani, 16 years old geek from Italy, has contacted credit card giant about the flaw.

The problem is that intl_ads_redirect.jsp enables redirecting outside of American Express domain too (!), i.e. .jsp?location=

Link to the Andrea’s Italian language blog entry:

More information and sample links here:

Yeah, Italian entry again. But will help You.

No need to say that the second example uses location=%68%74%74%70%3A%2F%2F…

I have confirmed with phone and e-mail on Monday that AMEX is aware.