Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Company Says NASDAQ Waited Two Weeks To Fix XSS Flaw

Posted by samzenpus on from the better-late-than-never dept.

alphadogg writes "A Swiss security company said the NASDAQ website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings. Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed NASDAQ and warned of the XSS flaw. 'I can basically say I have spammed them,' Kolochenko said in an interview. A NASDAQ spokesman did not have immediate comment. NASDAQ.com lets users create accounts and build a profile to monitor stocks and news."

3 of 61 comments (clear)

  1. Sounds like a fast response... by CajunArson · · Score: 4, Interesting

    Despite the twitch mindset that many people on this website have about security vulnerabilities, fixing a bug like that and deploying the fix in only 2-weeks is excellent for any project (open/closed/otherwise) and is especially good for a large commercial service like Nasdaq.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:Sounds like a fast response... by cbhacking · · Score: 5, Interesting

      Um... no. Fixing XSS is trivial. I work in this field myself; only a small percentage of our clients take more than a week to fix a reported issue, and many manage it same-day. This includes quite large and well-known software companies and websites, including in the financial sector (although I'll admit that the financial sector tends to be on the slower end of things).

      --
      There's no place I could be, since I've found Serenity...
  2. How about the real story today? by the+eric+conspiracy · · Score: 4, Interesting

    The NASDAQ today had it's 3rd significant pricing problem in the past few weeks.

    http://www.nasdaq.com/article/options-exchanges-halt-trading-20130916-00868

    These guys seriously need to improve their reliability.