Monday, March 16, 2009

Online finance flaw: At least AIG got this one right

As our economic conditions worsen, and the gloom and doom chatter intensifies, much attention has been paid to AIG. The crux of the AIG dilemma, to hear Ben Bernanke say it, is that they're too big to let go under, but most observations indicate they deserve to.
"I share your concern, I share your anger," Bernanke told the Senate Budget Committee. "It's a terrible situation, but we're not doing this to bail out AIG or their shareholders. We're doing this to protect our financial system and to avoid a much more severe crisis in our global economy."
Add to that this past week's disclosure that AIG will pay out $170 million in tax payer dollars as bonuses, and today's news that the $170 billion at large is basically already all gone.
Thus, the list of big finance companies becoming fodder for verbal abuse and regulatory oversight just keeps growing.
That said, I am neither an economist or even remotely intelligent enough to speak on these issues with authority, but there's one issue I know relatively well.

As part of the ongoing Online Finance Flaws series, AIG suffered from a cross-site scripting vulnerability in their search script.

I apologize in advance, I couldn't resist a little political, current events humor at AIG's expense as I chose to drop in an IFRAME with a relevant news story.

AIG before:

AIG after:

I initially took note of this vulnerability on It occurred to me that, in all likelihood, no one had bothered to tell AIG. After pinging my circle of industry folks with good contact lists, to no avail, I decided to try winging my disclosure and advisory effort to see what might come of it.
I sent email to abuse@, as well as two other aliases I found on the AIG site security page; specifically, corporatelegalcompliance@ and aig.iaig@.
I received an almost immediate automated response with a ticket number (a good thing), a call from an AIG information security resource the next day (a really good thing), and a week later the issue was fixed (a great thing).

So, as I sit here watching my 401k and investment portfolio fall in value by 75%. due in large part to one group at AIG, I can rest comfortable that another group at AIG (information security) is doing its job well. ;-) | digg | Submit to Slashdot


Anonymous said...

Heh, thanks for this. :)

Rafal Los said...

@Russ - Heh, your wit and sarcasm never fails you, does it Obi Wan? :)

Anonymous said...

Heh, great to see that at least something is right there :)

Excuse me for being serious for a little while, but I can't resist saying that the real problem here is that AIG was let to get to the stage where it is too big to fail. No company should get so big that the tax payers have to help it out otherwise the system would cracked up. That's too bad.

Take care,

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...