Ilia Kolochenko, CEO of High-Tech Bridge, took an interest in the nasdaq.com website after the stock exchange ground to a halt for a few hours in August due to “technical issues”.
Kolochenko says that he found that the website was vulnerable to XSS (cross-site scripting) attacks, that could be exploited by malicious hackers to – for instance – trick users into handing over sensitive information in phishing attacks.
Kolochenko says that he contacted Nasdaq three weeks ago, informing them that hackers could exploit the vulnerabilities to steal users’ browser history and cookies, perform phishing attacks and access confidential data.
With news of the flaws becoming public today, Nasdaq appears to have taken action to fix the vulnerabilities… however, at the time of writing, as evidenced by the screenshot above, one still remains.
In a press statement, Kolochenko bemoaned the tardy response of the website in acknowledging that the security holes existed:
“The fact that they are vulnerable is not very shocking to me, as approximately 90% of existing websites are vulnerable today. But I was surprised not to receive any Nasdaq acknowledgement of my findings during a three week period, especially taking into consideration their recent technical failure. I think that such important companies as Nasdaq should have a rapid response mechanism to ensure that the IT security team can react quickly, which seems not to be the case today.”
“This means anyone could inject arbitrary HTML code into Nasdaq.com to display a fake web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”
Whether you are running a website used by millions of people, or only get a few dozen visitors a month, it’s essential that you keep on top of security issues and ensure that your site doesn’t have flaws that could be exploited by malicious hackers.
In NASDAQ’s case, it’s clearly important that they do a thorough review of all their internet-facing systems. Just last month, hackers hit the NASDAQ’s community forum, compromising email addresses and passwords.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.