Vulnerabilities that allow attackers to use an exploit known as the “forbidden attack” were discovered on 184 servers and affect dozens of Visa Inc.'s HTTPS-protected websites, according to an Ars Technica report. The exploit, which was revealed in a National Institute of Standards and Technology (NIST) report could be used to insert JavaScript code into a web page.
Network servers internationally repeat arbitrary cryptographic values, a nonce, and about 70,000 servers set the value randomly, according to a report on the German technology website Golem.de. The vulnerability also affected a German stock exchange and Polish bank association. Germany-based Deutsche Börse has address the vulnerability. Visa and Poland's Zwizek Banków Polskich have not yet addressed the flaw, according to the report. The researchers raised the issue with Visa earlier this year.
The security vulnerability underscores concerns voiced by financial services executives, as a recent report found that senior executives consider cybersecurity a core obstacle to digital innovation.