NASDAQ then took two weeks to fill the holes.
Ilia Kolochenko, CEO of Geneva-based High-Tech Bridge, uncovered a cross-site scripting vulnerability. “A quick and totally harmless test confirmed an exploitable XSS vulnerability that allows injecting arbitrary HTML and scripting code into NASDAQ.com webpages,” he said in a statement.
"I initially reported one XSS [cross-site scripting] and one open redirect, which I found in about 10 minutes," he added. Kolochenko said that it was very likely that NASDAQ has other, more dangerous vulnerabilities as well.
In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. It is employed by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users; the scripts can even rewrite the content of the HTML page. All very dangerous fare for a trading platform with connections to online trading.
Kolochenko said he contacted NASDAQ on Sept. 2 but that the stock exchange didn’t respond to his notifications, which he sent to a host of generic email addresses, like security@nasdaq.com and abuse@nasdaq.com.
A NASDAQ representative confirmed this morning that the issues had been patched and said that it took the time to verify the problem. “We have fixed the vulnerability, and we began working on the issue once it was flagged to us by the High-Tech CEO – we address any and all vulnerabilities identified, whether internally via our standard processes or externally, like the one we received on September 2,” a NASDAQ representative said in a statement. “We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets.”