WARNING: American Express fails miserably at basic security (with update)

When Joe Damato looked under the hood of American Express Network’s Daily Wish sign-up form, he wasn’t happy:

The Daily Wish sign up form from the American Express Network is sending credit card numbers, expiration dates, and all the other personal information on the sign up form in the clear back to their server.

Holy. Fuck.

You can read the details and see the screen shots on the Time to Bleed blog.

Joe subsequently posted this update:

As of 3:35pm PST on 5/25/2010 it seems to be fixed. wireshark shows only TLS traffic now, nothing in the clear. Pretty quick fix, since this was published at 11:54am. Good deal.

Hat-tip, Centennial Man

Attorney General James Announces Settlement with Wojeski & Company Accounting Firm
John Bolton Indictment Provides Interesting Details About Hack of His AOL Account and Extortion Attempt
UK: 'Catastrophic' attack as Russians hack files on EIGHT MoD bases and post them on the dark web
The Alliance That Wasn’t: A Critical Analysis of ReliaQuest’s Q3 2025 Ransomware Report
F5 discloses breach tied to nation-state threat actor
Months After Being Notified, a Software Vendor is Still Exposing Confidential and Sealed Court Records

Related: