Threat and Vulnerability Management

Security company says Nasdaq waited two weeks to fix XSS flaw

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings.

Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed Nasdaq and warned of the XSS flaw.

"I can basically say I have spammed them," Kolochenko said in an interview.

A Nasdaq spokesman did not have immediate comment. lets users create accounts and build a profile to monitor stocks and news.

Cross-site scripting is an attack on a website in which a script drawn from another site is allowed to run that shouldn't. The attack can be used to steal information or potentially cause other malicious code to run.

Kolochenko said the flaw could have been used by an attacker in several ways, including stealing users' browser histories and their cookies. It could also have been used to inject HTML into a Web page and ask for people's personal details, a request that would appear to come from Nasdaq.

In another kind of attack, Kolochenko said the XSS flaw could be used to plant a link within the Nasdaq site to a malicious website.

Kolochenko said XSS flaws are common, and he has found ones in websites belonging to the BBC, Bloomberg and the Financial Times. Those organizations acknowledged the issues, but it was often a month or so before the websites were fixed, he said.

He found the Nasdaq flaw after noticing some suspicious URLs and conducting a harmless test. At that point, he stopped probing the website and notified Nasdaq by email on their support, abuse and security addresses.

"I didn't want to take it further," he said.

Nasdaq's trading halted on Aug. 22 after a technical problem with a core data feed that distributes market data for securities listed on its exchange. A connectivity issue degraded the ability of the Securities Industry Processor (SP) system to consolidate and disseminate quote and trade information on Nasdaq listed securities.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk


« Security company says Nasdaq waited two weeks to fix XSS flaw


Mobile printing: A guide for the BYOD world »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends


Is your organization fully GDPR compliant?