nasdaq500
Threat and Vulnerability Management

Security company says Nasdaq waited two weeks to fix XSS flaw

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings.

Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed Nasdaq and warned of the XSS flaw.

"I can basically say I have spammed them," Kolochenko said in an interview.

Nasdaq.com lets users create accounts and build a profile to monitor stocks and news. Nasdaq said it did not believe the flaw was used by an attacker, and no personal data was compromised.

"We responded to his concerns immediately," Nasdaq said in an email statement. "We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets."

Cross-site scripting is an attack on a website in which a script drawn from another site is allowed to run that shouldn't. The attack can be used to steal information or potentially cause other malicious code to run.

Kolochenko said the flaw could have been used by an attacker in several ways, including stealing users' browser histories and their cookies. It could also have been used to inject HTML into a Web page and ask for people's personal details, a request that would appear to come from Nasdaq.

In another kind of attack, Kolochenko said the XSS flaw could be used to plant a link within the Nasdaq site to a malicious website.

Kolochenko said XSS flaws are common, and he has found ones in websites belonging to the BBC, Bloomberg and the Financial Times. Those organizations acknowledged the issues, but it was often a month or so before the websites were fixed, he said.

He found the Nasdaq flaw after noticing some suspicious URLs and conducting a harmless test. At that point, he stopped probing the website and notified Nasdaq by email on their support, abuse and security addresses.

"I didn't want to take it further," he said.

Nasdaq's trading halted on Aug. 22 after a technical problem with a core data feed that distributes market data for securities listed on its exchange. A connectivity issue degraded the ability of the Securities Industry Processor (SP) system to consolidate and disseminate quote and trade information on Nasdaq listed securities.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

PREVIOUS ARTICLE

« TechTool Pro 7 review: A nearly complete set of Mac troubleshooting tools

NEXT ARTICLE

Security company says Nasdaq waited two weeks to fix XSS flaw »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?