Slashdot Mirror
Security Company Says NASDAQ Waited Two Weeks To Fix XSS Flaw
alphadogg writes "A Swiss security company said the NASDAQ website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings. Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed NASDAQ and warned of the XSS flaw. 'I can basically say I have spammed them,' Kolochenko said in an interview. A NASDAQ spokesman did not have immediate comment. NASDAQ.com lets users create accounts and build a profile to monitor stocks and news."
What are you laughing at, it's clearly very difficult to fix one XSS vulnerability.
Despite the twitch mindset that many people on this website have about security vulnerabilities, fixing a bug like that and deploying the fix in only 2-weeks is excellent for any project (open/closed/otherwise) and is especially good for a large commercial service like Nasdaq.
AntiFA: An abbreviation for Anti First Amendment.
The NASDAQ today had it's 3rd significant pricing problem in the past few weeks.
http://www.nasdaq.com/article/options-exchanges-halt-trading-20130916-00868
These guys seriously need to improve their reliability.
That's not too bad all things considering. Maybe they have a proper structured development shop (not too structured, since it obviously doesn't include code reviews or vuln scanning)? Maybe they had maintenance windows which they are contractually bound to (and more expensive to make an exception then to do deal with a flaw)? Maybe once they were made aware of the problem they were scanning the database system for odd entries or suspicious activity? Maybe they needed to get an independent audtor to review so they can appease their various stakeholders?
Hopefully they learned from this, and will at least run an automated vulnerability tool against the app for future releases.
Wearing pants should always be optional.
Butt-Head: Huh huh, you said penetration.
Beavis: I'd love to work at that place!
So, it's the NASDAQ website. Who goes the NASDAQ website? You can't trade stocks there. Financial information was not leaked, so BFD. This is fairly common on any website. Sounds to me like a single security research got butthurt because they didn't acknowledge his finding quickly enough.
(-1, Raw and Uncut is the only way to read)
I can basically say I've spammed them
Well, there's your answer.
nasdaq.com is a simple front-end fluff site for viewing quotes and doing basic company research. No critical systems or customer data.
Two weeks is a long time for a few minutes worth of work. It is symptomatic of the kind of disease you find in all large organizations.
They could have implemented the fix before checking the DB or doing other auditing. Those things are not dependent on each other.
Don't you get it yet? Most people don't understand security issues. Even fewer are interested in theoretical security issues. Here we have a perfect example of apathy without cost.
So what if there was a security hole? It's been fixed. So what if it existed for one week/month/year? No one exploited it so it can't have been all that "real" a risk. So what if NASDAQ could have lost millions? It's not my money and I didn't lose a penny, ergo, I don't care!
So what? No one cares!
Its called process.
Product Owner is sent notice of vulnerability.
Operation or QA tries to reproduce the issue.
Upon confirming the vulnerability, Product Owner tells business analyst and dev. manager about issue: change request is created.
Dev team picks up ticket, and does more analysis.
Geek reproduces issue locally.
Geek writes failing, automated test that reproduces the error.
Geek fixes error, automated test is passing.
Geek has code reviewed by team members, and probably infosec.
Geek hands code off to QA.
QA checks first does a check to see the vulnerability, then tests that code is really fixed, also validating that Geek's script isn't broken. Then does regression test to make sure that code isn't broken.
QA schedules time with operations to meet and discuss deployment plan.
Code is deployed to stage environment and tested some more.
Operations then deploys the fixed code.
If, at NASDAQ, you create even a moment of downtime,
your ass is chewed, spit out, and handed back to you.
I love how apparently everyone complaining about this must have mastered all unintended consequences.
Sometimes fixing a bug just isn't that important, even a security bug. Sometimes the stuff you break can be worse than what you fixed. This is why it may take 30 minutes or 2 days to fix the issue, but much longer to make sure you actually want to push it to production.
If they had private medical data or insider information that could be hacked by exploiting the issue I imagine they would have fixed it within an hour. As it stands, they probably didn't _need_ to fix it any faster than a few weeks.
Agreed. Chances are there are a bunch of PMPs and ITIL processes in place. Could be internal politics.
Coding a few minutes is a one thing. Testing it, getting someone to approve to move something to prod, and herding people to actually do work is a bunch of other things. Legal and PR may get involved too.
In some corps I worked, the finger-pointing usually takes days and involves a bunch of crappy meetings. It can be days before someone engages InfoSec or the developers to confirm a problem.
Two weeks is not terrible; better than most large corporations.
Wearing pants should always be optional.
I realize it takes a few minutes to fix an individual XSS problem, but what was the vulnerability here?
NASDAQ says this from the article:
Nasdaq.com lets users create accounts and build a profile to monitor stocks and news. Nasdaq said it did not believe the flaw was used by an attacker, and no personal data was compromised.
"We responded to his concerns immediately," Nasdaq said in an email statement. "We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets."
So they took the information seriously, evaluated it and said that it didn't create a big gaping hole.
while they guy who notified them of the problem reportedly said:
Kolochenko said the flaw could have been used by an attacker in several ways, including stealing users' browser histories and their cookies. It could also have been used to inject HTML into a Web page and ask for people's personal details, a request that would appear to come from Nasdaq.
In another kind of attack, Kolochenko said the XSS flaw could be used to plant a link within the Nasdaq site to a malicious website.
Kolochenko said XSS flaws are common, and he has found ones in websites belonging to the BBC, Bloomberg and the Financial Times. Those organizations acknowledged the issues, but it was often a month or so before the websites were fixed, he said.
Yes, so XSS vulnerabilities are bad and it's up to the website owner to ascertain how bad it could be for their website on a case by case basis. It sounds like this guy spends his days however just digging up XSS vulnerabilities and then spams the companies saying you have a problem, possibly to mine bug finding cash. I think you'll find that in each case, those companies notified of an XSS vulnerability addressed the issue within their usual change management process. This is a reasonable and logical approach.
Now, if the guy said "XSS vulnerability crashes NASDAQ and steals your money!" or "NSA uses XSS vulnerabilities to steal your data." I'd be a bit more worried.
Nothing to see here, move along and remain calm.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Of course NASDAQ could have fixed it immediately, but what very valuable information did they gather during the two-week window from first report to fixing it?
Why, all the info on all the zero-day crackers giving it a go during that period -- a massive sort of honeypot operation.
Think about it. Easy to plan the protocol for. Like flies to honey.
General Clapper States:
"What we do not do," Clapper said in a statement, "is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of - or give intelligence we collect to - U.S. companies to enhance their international competitiveness or increase their bottom line."
This is a provable lie!
Happy Birthday "General" Clapper.
Wait. The NASDAQ is a huge gambling institute where you can gamble with other people's money, right? What reliability are you speaking of?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Vote Up My Thread Comment me internet security http://slashdot.org/submission/2969233/bitdefender-internet-security-2014-how-it-works