DX.Exchange, a crypto-based asset trading platform has lately been making positive noise in the news cycle due to its January 7th launch. The exchange has been marketed as the platform that will bridge the gap between cryptocurrencies and real-world stocks, as investors can purchase tokenized versions of Apple, Facebook and Apple stocks, as well as some of the most popular cryptocurrencies like Bitcoin, Ethereum, XRP, Litecoin or Bitcoin Cash. Just a couple of days after launch the tune seems to be changing as popular tech website ArsTechnica reported how the platform suffers from major security issues.
The issues were exposed by an online trader who decided to do his due diligence and check out the security on the DX.Exchange website. After creating a dummy account and checking out the website with the help of Google Chrome developer tools, the trader noticed several vulnerabilities that might have caused serious leaks of account login credentials and personal user information.
The vulnerability is explained as an authentication token issue; whenever his browser sent one of these tokens (required for accessing your account) to the exchange’s website, the website sent back “all kinds of extraneous data”. The trader realized that this data was extremely sensitive, including other users’ authentication tokens and even password-reset links. A malicious user could use this data to gain unauthorized access to leaked accounts.
“I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy,” explains the trader.
The security issues didn’t stop there, as the leaked data apparently contained tokens belonging to the employees of the website. If someone were to gain access to this information, they could have easily log into the DX.Exchange website with administrative privileges. Once logged in this way, the hacker might have been able “to download entire databases, seed the site with malware, and possibly even transfer funds out of user accounts.”
The exchange has since responded, confirming that the issue has been acknowledged and fixed.
Still, the exchange seems to be plagued with early-launch issues and bugs that could endanger its users’ sensitive information and funds. Check out the complete ArsTechnica report here.