"A glaring vulnerability on the American Express website has
unnecessarily put visitors at risk for more than two weeks and violates
industry regulations governing credit card companies, a security
researcher says.
Among other things, the cross-site scripting (XSS) error on
americanexpress.com allows attackers to steal users' authentication
cookies, which are used to validate American Express customers after
they enter their login credentials. Depending on how the website is
designed, miscreants could use the cookies to access customer account
sections, said Russ McRee of the Holistic Security blog. A URL demonstrating this weakness is here."
Read more: http://www.theregister.co.uk/2008/12/16/american_express_website_bug/
