Russ McRee, co-founder of ReportSecurityFlaws.com went public this week with a security disclosure about a vulnerability in Ameriprise Financial’s site for much of this year. Russ spoke with Dan Goodin of TheRegisterUK news site about the flaw.
Until just a few days ago when Russ brought these flaws to the attention of the security press, Ameriprise did not reply to any of the warnings that he’d sent.
Part of the Ameriprise site contained cross-site scripting hazards that made it possible for phishing attackers to insert malicious content into browser sessions, and possibly steal session cookies used to authenticate customer accounts.
Ameriprise, like most sites, does not have an easy method to contact a security aware staff member to alert the company of a potential security hazard. Russ discovered a similar flaw on an American Express site late last year; a flaw that was similarly ignored by the American Express customer service department.
Ameriprise repaired its site less than two hours after being notified by TheRegister.uk of the flaw.
Read the story at El Reg.
