Cross Site Scripting can cause your stock to tank

A woman working in HP Israel sent an email to hundreds of co-workers accusing (falsely) that a snack made by Osem, one of the largest food manufacturers in Israel and the local subsidiary of the Nestle food giant, is causing infant death.

This email quickly spread and the immediate result was a 6% drop in Osem’s stock in just a few hours.

The email wasn’t very sophisticated. It wasn’t even remotely true and the ministry of health immediately issued a statement confirming the rumour is false. Still, Osem – one of the largest companies in Israel – will see its stock down a few percent over this rumor.

Earlier this month, Apple’s stock went down following rumors that Apple’s CEO Steve Jobs had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is old as the invention of the stock market. But the Internet makes it easier to create a rumor that reaches far and wide within hours; there is just one more component that is missing: credibility.

Imagine if you saw a news item on Apple.com that discussed the death of CEO and chairman Steve Jobs. Imagine if you saw a clarification text on Osem’s web site explaining that the ‘bamba’ snack is indeed suspect of poisoning infants. This is not difficult to do – I don’t really need to break in or deface the web sites for this to happen – I just need to find a cross site scripting vulnerability and use it for attack.

In fact, we made a quick proof of concept to the Tel Aviv stock exchange a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to anyone who ever reported a XSS vulnerability: “oh, this is not really a problem as it does not permanently changes the page” (for something that is “not a problem” they sure fixed it within the hour, though).

We’ve repeated this exercise almost every time our vulnerability scanning service found a XSS vulnerability and we had to explain why the report claims it’s a serious issue. We planted false financial reports in the ‘investors’ section, altered news items and in almost all cases, met with the standard reaction: “this is not a real vulnerability” and “how can this really affect me?”

Most security researchers opt to explain XSS as an attack for stealing cookies. While this is true, I think there’s a greater risk in altering the information on the page to visitors which could be useful in a phishing attack, or like the examples above, a speculative attack.

I’m waiting for the first XSS attack that will tank a big company stock. If you’re reading this, make sure your company won’t be the one.

Share
  • Eponymous

    Very interesting that you should post this today, because last night I was reading the message boards on google finance, looking for average troll/punter sentiment on the upcoming Whitehouse decision for GM, and a strange Bloomberg article surfaced which seemed to have more definitive information on the Bush decision than ANY other news source…

    Whereas ALL other sources were still saying that a bakruptcy was still possible, this strange Bloomberg article claimed that a bailout loan was already granted!

    Furthermore, the article was dated 12/19, and this was on 12/18. Three potential explanations crossed my mind….this was insider fraud or an error (at Bloomberg), a Whitehouse leak or Bloomberg scoop, and finally, a possible XSS pretending to be Bloomberg. I was able to disprove the XSS in short order but it’s interesting that you post this the morning after.

    As it turns out, the article was right, so I’m guessing someone had insider information and was not supposed to publish it….

  • http://jbrownsec.blogspot.com jbrown

    This does indeed look like the very real deal. Good read!

  • Dave

    You mentioned using a vulnerability scanning service to find the XSS hole, what did you use?

  • http://www.BeyondSecurity.com Aviram

    @Dave -
    Naturally, I used ours.

  • kripssmart

    wow! nice article.