American Express Website Security Glitch Could Expose Customer Usernames, Passwords

American Express's website contains a potentially serious security glitch that is causing at least one customer's username and password to show up in URLs on the site, CRN has learned.

Brett Morrison, a Los Angeles-based programmer and technology entrepreneur, discovered the flaw on Sunday after logging in to the American Express website. While trying to book a flight, he noticed that his username and password were displayed in the URL query string, which is the collection of numbers and characters that comes after the file name.

"I'm literally looking at my password in clear text," Morrison told CRN in a phone interview. "I typed it in when I logged into the website, and now I'm looking at it being shown in the query string."

American Express uses HTTPs, but that doesn't protect customers because the query string itself is not encrypted, Morrison said.

Morrison took to Twitter to announce his discovery and included a screen grab documenting the glitch, which has since garned dozens of retweets:

I still can't believe my eyes, ! This is an . Fix it!

/**/ /**/

This is "fire the whole IT department" bad RT I still can't believe my eyes, ! Fix it!

/**/ /**/

American Express couldn't be reached for comment on the glitch.

Query strings are picked up by web logging software all over the Internet, which means usernames and passwords of American Express customers will be showing up in log files as well, according to Morrison.

"The problem with this is that you're showing a password in clear text, which is never OK, especially inside the query string. Every American Express customer is going to have to change their password as a result of this," Morrison said.

Morrison suspects the glitch made its way onto the American Express website during a recent update and has not been there for long. While the glitch does not expose customers' credit card data and personal information, a hacker could search log files and pick out usernames and passwords of customers, and botnets could harvest usernames and passwords without the aid of a keystroke logger, he said.

Once an individual obtained a customer's user name and password, they could see all of their credit card charges as well as buy things with points, Morrison said. 'Being able to see all of someone's charges is a huge privacy issue," he said.

Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security consultancy, called the American Express website glitch" a very serious security weakness" based on Morrison's description.

"What is appalling to me is that a company with the resources of American Express would have a development team that is so clueless about security," Plato said in an email. "It makes you wonder what other big companies have massive gaping holes in their information security."