Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care
from the ouch dept
One of the general tenets of white hat security hackers is that when they find a vulnerability they alert the company first and allow them to fix things before they reveal the details. But what if it's impossible to reach anyone at the company? That Anonymous Coward points us to a recent case of someone discovering a serious zero-day vulnerability at American Express... and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer:
As TAC mentioned in his submission, perhaps black hat hackers are merely white hats who got tired of the muzak on hold...
To my great surprise American Express doesn’t allow anybody to contact them. Instead, you’re sent through their ten-year-old copyright noticed website’s first line support jungle to be attacked with questions ensuring that you’re a paying customer. If you’re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.
The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.