- A developer has revealed a number of vulnerabilities in the DX.Exchange platform, including a user data leak
- A bug led to the leak of authentication tokens and rest links
- The site has since published a maintenance update
There are many things that make a good crypto exchange. One of the most important, however, is its security. A cryptocurrency exchange not having adequate security can lead to a plethora of issues as evidenced by the Maple Exchange hack of 2018 that led to users’ funds being stolen. According to research carried out by an online trader, DX.Exchange, a new cryptocurrency exchange platform, has several vulnerabilities including the leaking of user data.
About DX
DX.Exchange has generated significant buzz on the internet. One of the reasons for this is its business model as it allows not only the trading of currencies but also the digital versions of stock from prominent firms such as Tesla and Apple.
The exchange currently has over 600,000 registered users.
The trader in question decided to see if the site was truly secure and created a dummy account for this reason. He also turned on developer tools on Google Chrome to aid in his mission.
The Experiment
Once the trader’s dummy account was set up, he sent a request to DX.Exchange through his browser which included an authentication token.
The site responded back with a response that contained a mass of data. Once the data was inspected, he found that it contained several other users’ authentication tokens and their password reset links.
“I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy,” said the trader who has chosen to remain anonymous.
The authentication tokens are formatted as JSON Web tokens but can be easily decoded when linked to a JWT site where the names and email addresses of the users are also revealed.
Staff accounts also vulnerable
Further experimentation showed that a hacker can gain access to any account with the tokens as long as the user hasn’t manually logged out of the account.
What’s worse, some of the tokens belong to employees of the exchange and should some of them have administrative privileges, the security of the entire exchange could be compromised.
The site has since been notified of the vulnerabilities and have published a site maintenance update as well as a statement:
“Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.”