Update: Nasdaq waited two weeks to fix flaws

Exchange delayed fixing potentially critical website vulnerabilities despite multiple alerts, security firm says

A Swiss security firm says that cross-site scripting critical vulnerabilities it discovered on Nasdaq's website weren't fixed until more than two weeks after it alerted the stock exchange to the problems.

The vulnerabilities could have let a hacker to gain full access to Nasdaq.com and execute commands at will, said Geneva-based High-Tech Bridge.

The flaw was fixed on Monday.

The cross-site scripting flaws would have also let a malicious attacker inject arbitrary HTML code into Nasdaq.com to serve up a fake web form to collect credit card and other personal data, or to drop malicious code onto a user's system.

Nasdaq.com lets users create accounts and build a profile to monitor stocks and news. Nasdaq said it did not believe the flaw was used by an attacker, and no personal data was compromised.

High-Tech Bridge CEO Ilia Kolochenko said claimed that he found the vulnerabilities while browsing Nasdaq's website in the wake of an Aug. 22 outage of the Nasdaq site.

At the time the stock exchange blamed the glitch on a connectivity issue between an exchange participant and a data feed called the Securities Information Processor system.

Kolochenko said that a cursory inspection of Nasdaq's website in the days following that outage showed that it was vulnerable to easily carried out web application attacks.

He said that he sent email messages to a dozen addresses on Nasdaq's website to alert them of the security threat. The email alerts contained detailed information on the vulnerabilities and cautioned Nasdaq about how they could be exploited to access confidential data from user PCs and to steal browser histories and cookies of those visiting Nasdaq's website.

"I can basically say I have spammed them," Kolochenko said in an interview.

Despite repeated attempts to reach Nasdaq, the exchange did not respond to the alerts and in fact did not address the website flaws until Monday morning after reports in news media, he said.

A Nasdaq spokesman said the exchange responded to the security firm's concerns "immediately."

"We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets," the spokesman said.

Nasdaq's security unit addresses all vulnerabilities, whether identified internally via the exchange's standard processes or externally from third parties, after extensive validation procedures. Once an alert is received, a trouble ticket is created and the process to remediate the issue starts immediately, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.