Newly launched crypto exchange, DX.Exchange – also known for having been built on NASDAQ’s, “market leading matching technology,” – has sparked concern among one unnamed trader, who has since revealed its flaws.
In particular, it has been found that DX.Exchange’s user information (i.e. personal, account and passwords) have been leaked reports Ars Technica (https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/).
According to the claims made, the unnamed trader was interested in the security aspects of the exchange given the hype surrounding it upon its launch. To test for its fit, the trader supposedly created a fake account and used tools accessible via the Chrome browser. With the simplicity of the tools used, the trader was shocked to see that DX.Exchange was providing his browser with data belonging to other users – which should naturally be kept in private.
“I have about 100 collected [authentication] tokens over 30 minutes […] If you wanted to criminalize this, it would be super easy,” notes the trader.
As per the claims made, the tokens are based on JSON Web tokens, and to his surprise, in-depth information such as full names and email addresses of DX.Exchange users’ can be accessed. Furthermore, given that a user does not manually log out of his or her account, then any one can access it.
The trader then tried to see if any other ways can be found to access one’s account, and astonishingly, he was able to “permanently compromise” one’s account – implying that anyone can easily get into said user’s account even if they are signed in or logged out.
The Worse is Yet to Come
It seems like the worse is yet to come. In addition to user information leakage, it seems like said leakage can compromise the entire site, as some of the information belong to DX.Exchange’s very employees.
This means any hacker can easily gain access everything housed within the exchange. The trader explained the following to Ars Technica:
“I got tokens from the exchange itself […] You can see from the account’s email address it’s @coin.exchange [administrative email domain]. I have pretty good confidence I could do this for a day and get an administrative token and have everything.”
Since the findings were presented to DX themselves, the exchange has since announced that they will be undergoing some maintenance measures to rid the platform of the bugs they’ve been notified of, as seen in the tweet right below:
WE SCHEDULED FOR TODAY AT 11:00 AM (ESTONIA TIME ZONE) A MAINTENANCE UPDATE TO IMPROVE OUR PLATFORM FUNCTIONALITY AND PERFORM SEVERAL BUG FIXES AND UPDATES. THE PLATFORM WILL COME BACK FULLY FUNCTIONAL AFTER FEW MINUTES. THANK YOU FOR YOUR PATIENCE
— DX.Exchange (@DXdotExchange) January 9, 2019
Investors need to be made aware that the exchange was launched as a “soft launch” and since their acknowledgement of the current problem, the team did mention the following as noticed by Ars Technica as well,
“Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.”
Overall, this is just one of several examples that investors should follow by. Many should be wary of the potential problems an exchange may house, especially in their infancy stages, therefore more time should be spent assessing its security among other factors prior to creating an account.