Security company says Nasdaq waited two weeks to fix XSS flaw

The flaw could have been used to elicit personal details from the website's users

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday despite earlier warnings.

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday despite earlier warnings.

A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings.

Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed Nasdaq and warned of the XSS flaw.

"I can basically say I have spammed them," Kolochenko said in an interview.

A Nasdaq spokesman did not have immediate comment. Nasdaq.com lets users create accounts and build a profile to monitor stocks and news.

Cross-site scripting is an attack on a website in which a script drawn from another site is allowed to run that shouldn't. The attack can be used to steal information or potentially cause other malicious code to run.

Kolochenko said the flaw could have been used by an attacker in several ways, including stealing users' browser histories and their cookies. It could also have been used to inject HTML into a Web page and ask for people's personal details, a request that would appear to come from Nasdaq.

In another kind of attack, Kolochenko said the XSS flaw could be used to plant a link within the Nasdaq site to a malicious website.

Kolochenko said XSS flaws are common, and he has found ones in websites belonging to the BBC, Bloomberg and the Financial Times. Those organizations acknowledged the issues, but it was often a month or so before the websites were fixed, he said.

He found the Nasdaq flaw after noticing some suspicious URLs and conducting a harmless test. At that point, he stopped probing the website and notified Nasdaq by email on their support, abuse and security addresses.

"I didn't want to take it further," he said.

Nasdaq's trading halted on Aug. 22 after a technical problem with a core data feed that distributes market data for securities listed on its exchange. A connectivity issue degraded the ability of the Securities Industry Processor (SP) system to consolidate and disseminate quote and trade information on Nasdaq listed securities.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags securityNasdaqExploits / vulnerabilities

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Virtualisation Security

Deep Security provides a comprehensive Server Security Platform giving organisations advanced protection for Physical, Virtual, and Cloud Servers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.