AmEx unprotected login site
Lance James
lancej at securescience.net
Wed Jun 8 15:26:47 EDT 2005
Protected or not, AmericanExpress.com has multiple web vulnerabilities -
I wouldn't log into it with a ten-foot pole :)
-Lance
-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Perry E. Metzger
Sent: Wednesday, June 08, 2005 12:16 PM
To: Jerrold Leichter
Cc: Amir Herzberg; cryptography at metzdowd.com
Subject: Re: AmEx unprotected login site
Jerrold Leichter <jerrold.leichter at smarts.com> writes:
> If you look at their site now, they *claim* to have fixed it: The
login box
> has a little lock symbol on it. Click on that, and you get a pop-up
window
> discussing the security of the page. It says that although the page
itself
> isn't protected, "your information is transmitted via a secure
environment".
>
> No clue as to what exactly they are doing, hence if it really is
secure.
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list