Security holes found on the NASDAQ website


NASDAQA researcher at Swiss-based security firm High-Tech Bridge claims to have found a number of weaknesses on the main NASDAQ website.

Ilia Kolochenko, CEO of High-Tech Bridge, took an interest in the website after the stock exchange ground to a halt for a few hours in August due to “technical issues”.

Kolochenko says that he found that the website was vulnerable to XSS (cross-site scripting) attacks, that could be exploited by malicious hackers to - for instance - trick users into handing over sensitive information in phishing attacks.

XSS vulnerability on

Kolochenko says that he contacted Nasdaq three weeks ago, informing them that hackers could exploit the vulnerabilities to steal users’ browser history and cookies, perform phishing attacks and access confidential data.

With news of the flaws becoming public today, Nasdaq appears to have taken action to fix the vulnerabilities… however, at the time of writing, as evidenced by the screenshot above, one still remains.

In a press statement, Kolochenko bemoaned the tardy response of the website in acknowledging that the security holes existed:

“The fact that they are vulnerable is not very shocking to me, as approximately 90% of existing websites are vulnerable today. But I was surprised not to receive any Nasdaq acknowledgement of my findings during a three week period, especially taking into consideration their recent technical failure. I think that such important companies as Nasdaq should have a rapid response mechanism to ensure that the IT security team can react quickly, which seems not to be the case today.”

This means anyone could inject arbitrary HTML code into to display a fake web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”

Whether you are running a website used by millions of people, or only get a few dozen visitors a month, it’s essential that you keep on top of security issues and ensure that your site doesn’t have flaws that could be exploited by malicious hackers.

In NASDAQ’s case, it’s clearly important that they do a thorough review of all their internet-facing systems. Just last month, hackers hit the NASDAQ’s community forum, compromising email addresses and passwords.

Tags: , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , ,

One Response

  1. spryte

    September 16, 2013 at 4:08 pm #

    <blockquote cite=“hackers could exploit the vulnerabilities to steal users’ browser history and cookies”>

    A few years ago I was taught that this was possible and got into the practice of deleting all cookies (including Flash and Silverlight persistent storage), cache and history after every session.
    It only takes a few seconds.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.