A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings.
Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed Nasdaq and warned of the XSS flaw.
"I can basically say I have spammed them," Kolochenko said in an interview.
A Nasdaq spokesman did not have immediate comment. Nasdaq.com lets users create accounts and build a profile to monitor stocks and news.
Cross-site scripting is an attack on a website in which a script drawn from another site is allowed to run that shouldn't. The attack can be used to steal information or potentially cause other malicious code to run.
Kolochenko said the flaw could have been used by an attacker in several ways, including stealing users' browser histories and their cookies. It could also have been used to inject HTML into a Web page and ask for people's personal details, a request that would appear to come from Nasdaq.
In another kind of attack, Kolochenko said the XSS flaw could be used to plant a link within the Nasdaq site to a malicious website.
Kolochenko said XSS flaws are common, and he has found ones in websites belonging to the BBC, Bloomberg and the Financial Times. Those organizations acknowledged the issues, but it was often a month or so before the websites were fixed, he said.
He found the Nasdaq flaw after noticing some suspicious URLs and conducting a harmless test. At that point, he stopped probing the website and notified Nasdaq by email on their support, abuse and security addresses.
"I didn't want to take it further," he said.
Nasdaq's trading halted on Aug. 22 after a technical problem with a core data feed that distributes market data for securities listed on its exchange. A connectivity issue degraded the ability of the Securities Industry Processor (SP) system to consolidate and disseminate quote and trade information on Nasdaq listed securities.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk