Joe Damato checked the source of an AMEX page and then sniffed the traffic to see if his credit card information was encrypted properly. He was not impressed.
So I filled out the form with fake information and sniffed the POST to the server.
The Daily Wish sign up form from the American Express Network is sending credit card numbers, expiration dates, and all the other personal information on the sign up form in the clear back to their server.
Big ooops. AMEX fixed the problem quickly.
An interesting twist to Damato’s blog post is the comment section where many people seem to rant about outsourcing and jobs instead of the actual issue. Outsourcing certainly brings security issues but a mistake in coding practices is not something you can blame on it — it happens both inside and outside.
Damato’s post also reminds me of the conviction of a computer consultant in England in 2005. That consultant argued he was worried about his credit card safety when he used a website that looked insecure. His story was not consistent, however, and a Judge found him in violation of the Computer Misuse Act, 1990.
The conviction of a computer consultant who gained unauthorised access to the Disaster Emergency Committee’s fundraising Web site has left security experts leafing through the magistrate’s decision to try and understand the full implication of the verdict.
On Thursday, Daniel Cuthbert, a computer security consultant from Whitechapel in London, was found guilty of breaching Section One of the Act on the afternoon of New Year’s Eve, 2004. He admitted attempted to access the Web site, which was collecting donations for victims of last year’s tsunami.
I doubt anyone would charge Damato in a similar fashion so times have apparently changed for the better, or at least Damato does not mince words about what he did and why.