In the wake of an outage which brought Nasdaq stock exchange trading to a halt, just over three weeks ago, Swiss information security firm High-Tech Bridge, finds that the Nasdaq website is vulnerable and putting its end-users and customers at high risk.
The August 22 outage had the signs of the political hacking attacks that have been hitting US financial institutions since September 2012.
Ilia Kolochenko, CEO of High-Tech Bridge, says: “After the media reporting around Nasdaq’s August technical failure and following Syrian hacker attacks against US media, I was interested in the web platform Nasdaq uses for its website. Browsing Nasdaq.com, I unintentionally came across several indications that the web application may be vulnerable to XSS (Cross-Site Scripting) attacks. A quick (and totally harmless) test confirmed an exploitable XSS vulnerability that allows injecting arbitrary HTML and scripting code into Nasdaq.com web pages.”
Kolochenko contacted Nasdaq.com three weeks ago sending a detailed alert to numerous Nasdaq emails, and informed them that hackers could exploit the vulnerabilities to steal users’ browser history and cookies, perform phishing attacks and access confidential data.
High-Tech Bridge has repeatedly tried to alert Nasdaq to the problem and has not yet received a response, and sees that the vulnerabilities still exist today and are not patched (update: one vulnerability was patched on early morning of Monday 16th of September).
High-Tech Bridge also recently analysed high profile media websites. The astonishing findings of both exercises were the ease with which the vulnerabilities were found. No laws were broken in probing the websites. Each vulnerability was found in less than 15 minutes simply through Google Search.
High-Tech Bridge CEO Ilia Kolochenko claims: “A competent hacker could potentially gain full access to Nasdaq.com within a couple of days with the ability to do almost whatever he wants, such as push an announcement that Facebook shares have dropped 90%, could cause havoc on the stock exchange.”
“The fact that they are vulnerable is not very shocking to me, as approximately 90% of existing websites are vulnerable today. But I was surprised not to receive any Nasdaq acknowledgement of my findings during a three week period, especially taking into consideration their recent technical failure. I think that such important companies as Nasdaq should have a rapid response mechanism to ensure that the IT security team can react quickly, which seems not to be the case today.”
“This means anyone could inject arbitrary HTML code into Nasdaq.com to display a fake web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”
While larger organisations have dedicated IT security teams to deal with hacks and vulnerabilities, High-Tech Bridge recently launchedImmuniWeb, an affordable web security service for SMEs (SMBs) which combines an automated scan of a website for vulnerabilities and a manual penetration test through a security expert.