Vulnerabilities allow attackers to use an exploit known as the “forbidden attack,” affecting dozens of Visa Inc.’s HTTPS-protected websites.
Network servers internationally repeat arbitrary cryptographic values, a nonce, and about 70,000 servers set the value randomly, according to a report on the German technology website Golem.de. The vulnerability also affected a German stock exchange and Polish bank association. Germany-based Deutsche Börse has address the vulnerability. Visa and Poland's Zwizek Banków Polskich have not yet addressed the flaw, according to the report. The researchers raised the issue with Visa earlier this year.
The security vulnerability underscores concerns voiced by financial services executives, as a recent report found that senior executives consider cybersecurity a core obstacle to digital innovation.