(LiveHacking.Com) – The well known credit card company American Express has fixed an SQL injection security vulnerability on its web site that allowed direct access to the server’s database. Originally found by student Nils Kenneweg, American Express move quickly to plug the hole and issued a statement saying that the vulnerability was never exploited and that its customer data has remained intact.
Nils discovered the vulnerability when he notice that the website did not validate data passed to a search function. Crafting special search queries then gave access to the database. Nils reported the vulnerability to the German security website Heise Security who in turn told its English equivalent The H Security, as well as informing American Express.
There is some doubt about American Express’ auditing of this problem as with direct access to the database, it couldn be possible to access to the data without leaving traces.