If you enjoy this article, subscribe (via RSS or e-mail) and follow me on twitter.
As of 3:35pm PST on 5/25/2010 it seems to be fixed. wireshark shows only TLS traffic now, nothing in the clear. Pretty quick fix, since this was published at 11:54am. Good deal.
This article is going to reveal a pretty serious error in a web form on the American Express Network website. I would strongly recommend NOT filling out the web form described below.
Daily Wish from the American Express Network
Daily wish from the American Express Network sent me an email this morning trying to get me to sign up for their deal of the day service where they offer a very limited quantity of products for a low price.
Sounds simple enough, right?
Well, the time of the sale is not released until the day the sale occurs, unless you are an American Express cardholder. If you are a card holder, you get a special landing page on their website telling you that if you sign up, you can get the sale times before the sale date.
The white arrow below points to the tab that only appears if you clicked through from an email from American Express. The red arrow below points to the sign up button. Take a look:
Sign up page
After clicking the sign up button (red arrow above), a lightbox appears asking for:
- First and last name
- American Express credit card number
- Security code
- Expiration date
- Billing zip
Quite a bit of personal information, much of it sensitive. [sarcarsm]Don’t worry the page is secure[/sarcasm], see the form and the white arrow below:
The code from the form
This form looked very suspicious to me, so I decided to take a look at the code to see if the
action for this sign up form was over
HTTPS. Check it:
So the action is to a handler at
http://dailywish.amexnetwork.com/preid2.aspx?ct=7. The lack of
https doesn’t make me feel very good.
WebForm_OnSubmit() function is doing something that might make this secure? Let’s take a look:
So it looks like that function is just a validator. It is really starting to feel like this form is insecure.
Let’s bring out wireshark and see what it has to say.
Wireshark packet sniff
So I filled out the form with fake information and sniffed the
POST to the server.
The Daily Wish sign up form from the American Express Network is sending credit card numbers, expiration dates, and all the other personal information on the sign up form in the clear back to their server.
- Do NOT fill out the form until American Express fixes this issue.