Security holes found on the NASDAQ website

Graham Cluley
Graham Cluley
@[email protected]

NASDAQA researcher at Swiss-based security firm High-Tech Bridge claims to have found a number of weaknesses on the main NASDAQ website.

Ilia Kolochenko, CEO of High-Tech Bridge, took an interest in the website after the stock exchange ground to a halt for a few hours in August due to “technical issues”.

Kolochenko says that he found that the website was vulnerable to XSS (cross-site scripting) attacks, that could be exploited by malicious hackers to – for instance – trick users into handing over sensitive information in phishing attacks.

XSS vulnerability on

Sign up to our free newsletter.
Security news, advice, and tips.

Kolochenko says that he contacted Nasdaq three weeks ago, informing them that hackers could exploit the vulnerabilities to steal users’ browser history and cookies, perform phishing attacks and access confidential data.

With news of the flaws becoming public today, Nasdaq appears to have taken action to fix the vulnerabilities… however, at the time of writing, as evidenced by the screenshot above, one still remains.

In a press statement, Kolochenko bemoaned the tardy response of the website in acknowledging that the security holes existed:

“The fact that they are vulnerable is not very shocking to me, as approximately 90% of existing websites are vulnerable today. But I was surprised not to receive any Nasdaq acknowledgement of my findings during a three week period, especially taking into consideration their recent technical failure. I think that such important companies as Nasdaq should have a rapid response mechanism to ensure that the IT security team can react quickly, which seems not to be the case today.”

“This means anyone could inject arbitrary HTML code into to display a fake web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”

Whether you are running a website used by millions of people, or only get a few dozen visitors a month, it’s essential that you keep on top of security issues and ensure that your site doesn’t have flaws that could be exploited by malicious hackers.

In NASDAQ’s case, it’s clearly important that they do a thorough review of all their internet-facing systems. Just last month, hackers hit the NASDAQ’s community forum, compromising email addresses and passwords.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Security holes found on the NASDAQ website”

  1. spryte

    <blockquote cite="hackers could exploit the vulnerabilities to steal users’ browser history and cookies">

    A few years ago I was taught that this was possible and got into the practice of deleting all cookies (including Flash and Silverlight persistent storage), cache and history after every session.
    It only takes a few seconds.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.