Menu
Security company says Nasdaq waited two weeks to fix XSS flaw

Security company says Nasdaq waited two weeks to fix XSS flaw

The flaw could have been used to elicit personal details from the website's users

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday despite earlier warnings.

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday despite earlier warnings.

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings.

Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed Nasdaq and warned of the XSS flaw.

"I can basically say I have spammed them," Kolochenko said in an interview.

A Nasdaq spokesman did not have immediate comment. Nasdaq.com lets users create accounts and build a profile to monitor stocks and news.

Cross-site scripting is an attack on a website in which a script drawn from another site is allowed to run that shouldn't. The attack can be used to steal information or potentially cause other malicious code to run.

Kolochenko said the flaw could have been used by an attacker in several ways, including stealing users' browser histories and their cookies. It could also have been used to inject HTML into a Web page and ask for people's personal details, a request that would appear to come from Nasdaq.

In another kind of attack, Kolochenko said the XSS flaw could be used to plant a link within the Nasdaq site to a malicious website.

Kolochenko said XSS flaws are common, and he has found ones in websites belonging to the BBC, Bloomberg and the Financial Times. Those organizations acknowledged the issues, but it was often a month or so before the websites were fixed, he said.

He found the Nasdaq flaw after noticing some suspicious URLs and conducting a harmless test. At that point, he stopped probing the website and notified Nasdaq by email on their support, abuse and security addresses.

"I didn't want to take it further," he said.

Nasdaq's trading halted on Aug. 22 after a technical problem with a core data feed that distributes market data for securities listed on its exchange. A connectivity issue degraded the ability of the Securities Industry Processor (SP) system to consolidate and disseminate quote and trade information on Nasdaq listed securities.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securityNasdaqExploits / vulnerabilities

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments