Monday, June 11, 2007

$1,000,000 CNBC stock trading contest hacked

Described as the American Idol of stockpicking, CNBC's Million Dollar Portfolio Challenge (closed), is a chance for amateur traders to match their skills against the portfolios of the internets best. 375,000 contestants compete in ten one-week challenges for a $10,000 prize and a spot in the final round to go for the cool million. To win all you have to do is make the most money. However, reports are surfacing that several of the finalists (with unbelievably good returns) may have gamed the system. According to BusinessWeek and SecurityFocus picking a sure winner required exploiting a surprisingly simple web application business logic flaw:

“A trader could go to the CNBC Web site and select a number of stocks to buy, but hold off on executing those trades. If you made the selection before the close of regular trading at 4 p.m. EST and left your Web browser open, you could execute those trades after hours and still receive the 4 p.m. closing price. For example, if a company whose stock closed at $20 a share rose to $25 in after-hours trading, you could buy the stock at $20, even though it was already worth 25% more.”

You can almost hear an army of web hackers smacking themselves for missing the opportunity to play. Or maybe they didn’t? :) Obviously this issue something you can’t scan, heck most humans misses it. And talk about difficult to detect. Certainly not the common IDS noise from XSS or SQL Injection. In the end it was seemingly just a bunch of every day stock people who spotted the abnormality. CNBC, with a reputation to protect announced that it had opened an investigation. With that amount of money on the line, they’d better.

This situation raises several interesting and timely questions with respect to the CSI website vulnerability discovery report.

1) Does CNBC or parent owner GE face potential lawsuits from disgruntled participants?

2) Do the people whom exploited the flaw in attempt to win the contest face any civil liability or potentially criminal charges? What about the people who felt cheated and decided to find the glitch on their own accord?

Civil maybe, criminal is hard to say because it seems they still technically “used” the system in the way it was intended. It could easily go the other way and both sides might have that scary discussion with a prosecutor.

CNBC Notice

We have an update on the CNBC Million Dollar Portfolio Challenge. As CNBC first reported on May 30, we were contacted by several contestants alleging unusual trading in violation of rules of the contest, which ended on May 25.

As CNBC said at the time, we immediately launched a thorough investigation of the contest and we are now focusing on three specific areas of concern.

We are investigating whether one or more finalists wrote and executed computer program scripts to bypass the contest's security measures.

Additionally, one or more contestants were able to change their trades after the markets closed at 4 PM ET, but before the trades were processed by CNBC. That way, a contestant could have executed trades after hours, and have the trades priced as of that day's market close.

CNBC has retained two leading consultants in the information security industry to investigate these two computer programming related issues.

In addition, there have been allegations that one or more contestants may have engaged in illegal market manipulation to affect actual prices of stocks represented in their contest portfolios.

We have engaged an independent securities expert to determine whether such activity took place.

As we said previously, the rules state that CNBC has until July 8, 2007 to declare a winner. Although CNBC hopes to announce a winner before that date, it is more important to ensure the individual awarded the Grand Prize is in compliance with the rules.

Integrity is paramount to CNBC. We are taking all allegations of improprieties very seriously. CNBC will provide updates on the air and on as they become available.


Jordan said...

This on the same day that Richard Bejtlich announces he's going to head up incident response for GE.

I wonder if he gets counted as an "independent security expert" still since he hasn't officially started yet. ;-)

Jeremiah Grossman said...

I guess he has his first task. :)

Anonymous said...

And do you think that NASDAQ systems are differnt? and if not NASDAQ, than CME or the stock exchnage in Kuala Lumpur or Tel-Aviv or Mumbai or Moscow... This is reality TV after all.

Jeremiah Grossman said...

Oh please please leave me SOME of my illusions!