A woman working in HP Israel sent an email to hundreds of co-workers accusing (falsely) that a snack made by Osem, one of the largest food manufacturers in Israel and the local subsidiary of the Nestle food giant, is causing infant death.
This email quickly spread and the immediate result was a 6% drop in Osem’s stock in just a few hours.
The email wasn’t very sophisticated. It wasn’t even remotely true and the ministry of health immediately issued a statement confirming the rumour is false. Still, Osem – one of the largest companies in Israel – will see its stock down a few percent over this rumor.
Earlier this month, Apple’s stock went down following rumors that Apple’s CEO Steve Jobs had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.
Stocks going up or down because of rumors is old as the invention of the stock market. But the Internet makes it easier to create a rumor that reaches far and wide within hours; there is just one more component that is missing: credibility.
Imagine if you saw a news item on Apple.com that discussed the death of CEO and chairman Steve Jobs. Imagine if you saw a clarification text on Osem’s web site explaining that the ‘bamba’ snack is indeed suspect of poisoning infants. This is not difficult to do – I don’t really need to break in or deface the web sites for this to happen – I just need to find a cross site scripting vulnerability and use it for attack.
In fact, we made a quick proof of concept to the Tel Aviv stock exchange a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to anyone who ever reported a XSS vulnerability: “oh, this is not really a problem as it does not permanently changes the page” (for something that is “not a problem” they sure fixed it within the hour, though).
We’ve repeated this exercise almost every time our vulnerability scanning service found a XSS vulnerability and we had to explain why the report claims it’s a serious issue. We planted false financial reports in the ‘investors’ section, altered news items and in almost all cases, met with the standard reaction: “this is not a real vulnerability” and “how can this really affect me?”
Most security researchers opt to explain XSS as an attack for stealing cookies. While this is true, I think there’s a greater risk in altering the information on the page to visitors which could be useful in a phishing attack, or like the examples above, a speculative attack.
I’m waiting for the first XSS attack that will tank a big company stock. If you’re reading this, make sure your company won’t be the one.