14 DAY TRIAL // A cross-site scripting (XSS) vulnerability has been identified on an American Express website secured with EV SSL and can be exploited to enhance phishing attacks.
XSS weaknesses are the result of poor input validation into Web forms and allow attackers to return potentially malicious code to visitors' browsers.
Ensuring proper validation of all inputs in Web applications, in order to prevent cross-site scripting and SQL injection vulnerabilities, is actually a requirement of the Payment Card Industry Data Security Standard (PCI-DSS).
The flaw is located on a page on the americanexpress.com domain and was reported via the XSSed Project by a security researcher called "SeeMe."
"The affected page uses a Verisign Extended Validation SSL certificate, which assures the visitors that the content and the domain name belong to American Express.
"So most probably, potential phishing attacks leveraging the XSS on the SSL site could have a high success rate," XSSed co-founder Dimitris Pagkalos, commented.
The vulnerability allows for attacks known as "reflected" XSS and its exploitation involves tricking users into visiting a specially crafted link.
The link would still point to the American Express domain and would have the SSL protection signs, making a phishing email using it look very credible.
There are multiple attack scenarios, and one of them involves displaying a rogue page inside an iframe on the vulnerable website, although this would partially break SSL validation, due to the new non-signed elements.
The flaw can also be exploited to trigger a redirect to an external website, an action that wouldn't probably be observed by a lot of users, who already made sure they clicked on an americanexpress.com URL.
This disclosure comes after last month a different security researcher found a similar vulnerability on the usa.visa.com website.
It's also worth pointing out that this is the seventh XSS weakness discovered on American Express websites and reported through the XSSed project so far.