At the beginning of this month, Swiss penetration testing company High-Tech Bridge identified what it described as a simple cross-site scripting (XSS) vulnerability on the NASDAQ’s website.
Two weeks later, this simple flaw has finally been patched, according to reports.
“We have fixed the vulnerability, and we began working on the issue once it was flagged to us by the High-Tech CEO – we address any and all vulnerabilities identified, whether internally via our standard processes or externally, like the one we received on September 2,” a NASDAQ representative told Threatpost.
The vulnerability was discovered in an application during an investigation into the cause of the August 22 network outage that resulted in trading being suspended for several hours.
“A quick and totally harmless test confirmed an exploitable XSS vulnerability that allows injecting arbitrary HTML and scripting code into NASDAQ.com webpages,” said High-Tech Bridge CEO Ilia Kolochenko.
“It’s not something that would shut down the site, but if a good hacker group wanted to hack them, XSS will make that hack simpler for them,” Kolochenko continued.
Pressure from media reports on the unmitigated XSS vulnerability is credited for prompting NASDAQ to finally take action.
Read More Here…