The newly-launched tokenized trading platform, DX.Exchange has security issues on their website that can jeopardize the users' sensitive data and fund if they fall into malicious people's hands.
New trading platform that allows users to trade crypto and digitized versions of many major companies’ shares, like Apple, Tesla and Amazon has managed to grab the public’s attention only 3 days after the launching.
It has even closed 600,000 registered users even months before, as DX.Exchange CEO, Daniel Skowronski said in an interview on August last year.
However, a “trial” made by an anonymous online trader revealed that DX.Exchange site has concerning security issues that jeopardize its users’ sensitive data, even their funds.
So, a couple of days ago after hearing the platform’s launching buzz, an online trader decided to give it a try to find out if it’s something he would want to use.
He created a dummy account as he still wanted to see the platform’s robustness as well as ensure the security level, since it collects a fair amount of users’ sensitive information, such as financial and legal data.
While exploring the platform, he turned on Chrome browser’s developer tool to get better visibility. What he found out afterwards really shocked him.
The request his browser sent to DX.Exchange included information that’s not supposed to be, which is the authentication token that a user need to access their account.
He also had no idea why the response that DX.Exchange sent to his browser contained lots of sensitive information, including other users’ authentication tokens and password-reset links.
““I have about 100 collected tokens over 30 minutes,” he said.
And since the tokens are formatted in the standard JSON Web tokens, anyone with enough skill to know about this site could easily see the full names and email addresses of DX.Exchange users the tokens belong to.
“If you wanted to criminalize this, it would be super easy,” he continued.
It got worse as using his account, he managed to confirm anyone who has the tokens to gain access to any affected accounts, as long as the users haven’t logged out since their tokens were leaked.
With a little tweaking using a site programming interface, he can even successfully kept his access to any accounts, even though the users have logged out.
He deplored that the site didn’t give any notifications when the API was invoked and doubted that two-factor authentication would be the solution, although he didn’t proceed that far as it would require him to provide his phone number.
So, is that all?
Sadly, it's not. Besides leaking sensitive data and allowing unauthorized access to users’ accounts, the leak also put the whole system in danger as some of the leaked tokens belonged to the company’s employees.
Imagine what malicious people can do if they manage to gain access to an employee account with admin privileges.
Speaking to Ars Technica, the trader said to get the tokens from the exchange itself. “You can see from the account’s email address it's @coins.exchange. I have pretty good confidence I could do this for a day and get an administrative token and have everything,” he continued.
Ars Technica’s staff himself then found out that DX.Exchange site did respond with lots of authentication tokens. He managed to contact several users from the list of tokens to ask if they really have an account on the exchange, one of which confirmed to have just signed up less than an hour before.
When Ars contacted the exchange on the leak last Tuesday, a team member responded asking for more details, which then followed by an official announcement on their official Twitter account about a scheduled maintenance update to improve the platform functionality.
WE SCHEDULED FOR TODAY AT 11:00 AM (ESTONIA TIME ZONE) A MAINTENANCE UPDATE TO IMPROVE OUR PLATFORM FUNCTIONALITY AND PERFORM SEVERAL BUG FIXES AND UPDATES. THE PLATFORM WILL COME BACK FULLY FUNCTIONAL AFTER FEW MINUTES. THANK YOU FOR YOUR PATIENCE— DX.Exchange (@DXdotExchange) January 9, 2019
In less than 24 hours, the team confirmed the bug fixing and thanked Ars for that, which according to Ars’ analysis, the bug was indeed patched.
Furthermore, Ars Technica’s team said that there are other several red flags on DX.Exchange’s security, including a sloppy token system. He regretted the fact that the exchange doesn’t provide contact information of the security team and doesn’t have a bug bounty program.
The anonymous trader who managed to find the issues in the first place said, “The fact that I’m even scared to tell them and there’s not even a way to do it, it’s ridiculous.”
It's never wrong to be precautious on matters like this, thus all DX.Exchange users should assume their accounts have been accessed and all information provided to the site has been exposed.
Stay with Chepicap for more updates.
Read more: NASDAQ-backed DX Exchange goes live today