Security researcher Russ McRee published on his blog details about a critical unpatched cross-site scripting vulnerability affecting the American Express website. He claims that he resorted to this after failing for two weeks to convince the company to fix it, despite significant efforts.

According to Mr. McRee, he came across the vulnerability when deciding to scrutinize the American Express website for security issues due to older concerns. “I kid you not, thirty seconds later, I found a new cross-site scripting (XSS) vulnerability right off the American Express primary search script,” the researcher writes. He also points out that this vulnerability is not one of the other three American Express-related XSS flaws, previously documented by the XSSed project.

The vulnerability, which is caused by an input validation deficiency in a get request, can be exploited to harvest session cookies and inject iframes, a factor that further expands its possibilities to even more worrying attacks. In addition, the high profile and nature of the website increases the likelihood of identity theft attacks.

The researcher claims that he has tried to report the vulnerability, following responsible disclosure practices, but gave up after no one replied to him for two weeks. “I followed my terms of engagement in reporting these findings to American Express and was ignored by everyone including a director in their information security organization,” he explains.

McRee also points out that the existence of this vulnerability violates the PCI Data Security Standard. The PCI DSS is the payment card industry's global data security standard, and applies to all companies that store or handle credit card data. Ironically, American Express is one of the founders of the PCI Security Standards Council, the organization that develops the DSS.

In addition to the XSS flaw, McRee has come across another issue that raises security concerns, in the form of a “most informative 500 error page exception.” This page revealed potentially sensitive information about the company's website, like being powered by the Vignette CMS hosted on Apache and IBM WebSphere.

This is not the first time that American Express attracted attention because of its security practices. Back in May, researchers voiced concerns over the online account registration form used by the PCI founder, which only allowed passwords between 6 and 8 characters. The PCI DSS makes the recommendation that all passwords should have at least seven alphanumeric characters.

From a security perspective, it makes no sense to limit the password length to 8 characters, since longer passwords are harder to bruteforce. Since American Express is otherwise known to request their clients to adopt very strong security policies, some people characterized the incident as being a truly “do how we say and not how we do” example.

The XSS flaw was eventually fixed by the company, soon after other blogs and online news websites picked up Mr. McRee's report, which is likely to have caused some stir amongst the customers. “Please contact American Express and register your own complaint,” the researcher recommends on his blog. “This is simply unacceptable,” he concludes.