WARNING: American Express fails miserably at basic security (with update)

When Joe Damato looked under the hood of American Express Network’s Daily Wish sign-up form, he wasn’t happy:

The Daily Wish sign up form from the American Express Network is sending credit card numbers, expiration dates, and all the other personal information on the sign up form in the clear back to their server.

Holy. Fuck.

You can read the details and see the screen shots on the Time to Bleed blog.

Joe subsequently posted this update:

As of 3:35pm PST on 5/25/2010 it seems to be fixed. wireshark shows only TLS traffic now, nothing in the clear. Pretty quick fix, since this was published at 11:54am. Good deal.

Hat-tip, Centennial Man

About the author: Dissent

Comments are closed.