How to get a security hole fixed (two versions)
A common but dangerous vulnerability spotted weeks ago on American Express's site was plugged this week after the hole gained blog and then press attention. But there may have been a faster, better way.
Cross-site scripting (XSS) vulnerabilities are unfortunately quite common. An XSS hole allows an attacker to scarf up a legitimate customer's login info, in this case as he enters the site. In the case of the AmEx hole, that information could later be used by the attacker to snoop around the customer's personal information, or worse.
The vulnerability's well-known enough to merit its own archive, but it's a known problem with a known fix. So when HolisticInfoSec blogger Russ McRee spotted the AmEx problem, he expected fairly fast resolution. Or a response, at any rate, from the company recently named the "most trusted in America" for a fifth consecutive year. (Though maybe not unanimously.)
Debate over when to go public with vulnerabilities -- tell the world immediately? tell the company and let them take it from there? tell the company and give them a deadline to make it right? -- has been going on for years. McRee publishes his own "terms of engagement" on his blog, and after following that procedure (two weeks, not fewer than three attempts to contact the company -- one to the Anti-Phishing Team, two to a director of information security for the firm), he turned to the press. A reporter at The Register phoned the company, and about an hour later, the hole was fixed.
According to American Express spokesman Rob Sherman, none of McRee's three contact attempts reached any of the parties he attempted to contact. However, on Tuesday -- the day of McRee's blog post detailing the problem -- a reputation-tracker service AmEx uses spotted McRee's post and alerted the appropriate security staff. The repair was underway when the reporter phoned. However, says Sherman, there was a faster way -- and one that cut out the middleman.
If McRee had addressed the issue as a citizen-journalist, Sherman says the complaint could have been addressed more quickly. "Bloggers and journalists are one and the same to American Express," Sherman says, and if McRee himself had contacted the Media Center with his findings, the right wheels would have started turning quickly.
"That's really lame," responds McRee, adding, "A blog is just a voice for research," especially for security researchers. He notes that companies such as Adobe have put into place reporting processes specifically for vulnerability information. (McRee, ironically, is no ordinary blogger; he's published in Information Security, Linux Magazine, and other venues. The AmEx find was however not connected to any publishing project, paper, or assignment.)
It's an interesting question, and expecting citizen-journalists to follow the journalism tradition of seeking comment on stories/posts poses fascinating questions about how bloggers perceive their writings versus how the companies they cover do -- and whether all the e-mails, blogs and articles in the world really matter if the right eyes don't see them.