This morning the Americanexpress company closed the door to the so lovely /us/admin/ page. If some of you are not aware about the hidden debugging pages, to make it quick, AmericanExpress company collected cookies sessions to investigate their website news from users’ prospective. A fancy but hidden debugging webpage were used to set the cookies to the tester’s browser. Here an example I took some days ago.
The funny story abut this page (that is actually described here for the first time) which makes me laugh is not really about the vulnerability that it is affected (really ? they hit an administration page without protection and they made it vulnerable too ??), but for the ingenuity of programmers that are still trusting to the net. Automatic scanners and Autonomic exploitation engines are always directed to such targets (for example: banks, credit card companies and so on..): why people are still thinking that hiding pages/codes/algorithms/etc. is a good solution against attacks ?
