Security bugs crawl all over financial giant’s website

For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert. The XSS, or cross-site scripting, flaws made it possible for phishers …

This topic is closed for new posts.

Posted Friday 21st August 2009 09:11 GMT

M 2

PCI??

Obviously these guys handle CCard details and therefore need to PCI DSS compliant..... this is one of those occasions where the Security Standards Council / Card Issuers need to use the big stick and impose sanctions (ie revoke certification and resultant fines) as they would for a company that size that has not achieved compliance by their target date.

To say... 'I have no idea if someone reported a vulnerability. But I am going to do nothing about how we handle vuln reporting" is tottally unacceptable and quite apart from the failure to comply to Requirement 6.5 (secure development of websites) it is surely also refusing to comply with 12.9 "Implement an Incident Response plan" or Req 5 "Maintain a Vulnerability Management Program".

Tottally lame..... if I had any business with them (which I don't) I would be pulling it and moving to someone else. If the PCI SSC is not going to use the big stick, then the public needs to when companies display this type of attitude..... by voting with their feet!

Martin

Posted Friday 21st August 2009 09:11 GMT

Anonymous Coward

Oh dear

"Please to fix this pwntastic code"? I wouldn't be inclined to take them seriously either.

This topic is closed for new posts.

Forums

User topics | Article topics

Sign up, sign up for The Register's weekly IT security newsletter - click here