Security holes found on the NASDAQ website

Graham Cluley

NASDAQA researcher at Swiss-based security firm High-Tech Bridge claims to have found a number of weaknesses on the main NASDAQ website.

Ilia Kolochenko, CEO of High-Tech Bridge, took an interest in the nasdaq.com website after the stock exchange ground to a halt for a few hours in August due to “technical issues”.

Kolochenko says that he found that the website was vulnerable to XSS (cross-site scripting) attacks, that could be exploited by malicious hackers to – for instance – trick users into handing over sensitive information in phishing attacks.

XSS vulnerability on Nasdaq.com

Kolochenko says that he contacted Nasdaq three weeks ago, informing them that hackers could exploit the vulnerabilities to steal users’ browser history and cookies, perform phishing attacks and access confidential data.

With news of the flaws becoming public today, Nasdaq appears to have taken action to fix the vulnerabilities… however, at the time of writing, as evidenced by the screenshot above, one still remains.

In a press statement, Kolochenko bemoaned the tardy response of the website in acknowledging that the security holes existed:

“The fact that they are vulnerable is not very shocking to me, as approximately 90% of existing websites are vulnerable today. But I was surprised not to receive any Nasdaq acknowledgement of my findings during a three week period, especially taking into consideration their recent technical failure. I think that such important companies as Nasdaq should have a rapid response mechanism to ensure that the IT security team can react quickly, which seems not to be the case today.”

“This means anyone could inject arbitrary HTML code into Nasdaq.com to display a fake web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”

Whether you are running a website used by millions of people, or only get a few dozen visitors a month, it’s essential that you keep on top of security issues and ensure that your site doesn’t have flaws that could be exploited by malicious hackers.

In NASDAQ’s case, it’s clearly important that they do a thorough review of all their internet-facing systems. Just last month, hackers hit the NASDAQ’s community forum, compromising email addresses and passwords.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Security holes found on the NASDAQ website”

  1. <blockquote cite="hackers could exploit the vulnerabilities to steal users’ browser history and cookies">

    A few years ago I was taught that this was possible and got into the practice of deleting all cookies (including Flash and Silverlight persistent storage), cache and history after every session.
    It only takes a few seconds.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES