When the Dx.Exchange platform launched earlier this week, it was met with much fanfare and exposure across the financial news arena. However, major problems are already afoot.
An online trader checking out the platform’s security hygiene came across a number of security issues and said that the exchange could be “criminalized super-easy.”
The exchange had a soft launch on Jan 7 and has been marketed as bridging the gap between cryptocurrencies and real-world stocks. You can obtain not only digitized versions of Apple, Facebook and Apple stocks, but also some of the most popular cryptocurrencies.
Although the exchange had received some favorable reviews from major news outlets, the exposure has now taken a turn for the worst as reports are surfacing that Dx.Exchange has some major security issues.
Site Assessment Unearths Security Issues
An online trader whose identity remains a secret for legal reasons ran some checks on the newly launched Dx.Exchnage platform and found that the site was leaking some sensitive legal and financial data.
The anonymous trader who gave this information to Ars Technica created a dummy account to test the robustness of the platform and its security. Soon after turning on the developer tool in the Google Chrome browser to explore further, he found out some shocking details. The trader found that the request he had sent from his browser to Dx.Exchange included information about the authenticated token and the user’s details to access the account.
Allegedly, the anonymous trader said that the information on the browser contained password-reset links from other users’ tokens as well. The tokens are formatted using an open standard called JSON Web Tokens, which leaves it open to those who have enough skill that could easily obtain email addresses and the full names of the token’s owners.
I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy.
The trader could basically gain access to any affected account if the users’ hadn’t already logged out from the point when the token info was leaked. After further exploration, the anonymous trader could also keep the access to the accounts even after they had logged out.
Even More Issues with Dx.Exchange
Although this discovery was already bad enough, the anonymous trader unearthed even more security issues with the Dx.Exchange platform. The leak endangered the entire system as token data belonging to employees of the company was also accessible.
Can you imagine the potential carnage if hackers had managed to get into the admin accounts of employees? The anonymous trader went onto say:
You can see from the account’s email address it’s @coins.exchange. I have pretty good confidence I could do this for a day and get an administrative token and have everything.
An Ars Technica staff member went on to confirm that the exchange was responding with lots of authentication tokens. He contacted several users from the obtained list and asked them if they had joined Dx.Exchange. One of the users confirmed that they did sign-up for the exchange just an hour before.
Then trader allegedly informed Dx.Exchange about the issues, who within 24-hours acted by scheduling a maintenance update to “perform several bug fixes and updates.”
WE SCHEDULED FOR TODAY AT 11:00 AM (ESTONIA TIME ZONE) A MAINTENANCE UPDATE TO IMPROVE OUR PLATFORM FUNCTIONALITY AND PERFORM SEVERAL BUG FIXES AND UPDATES. THE PLATFORM WILL COME BACK FULLY FUNCTIONAL AFTER FEW MINUTES. THANK YOU FOR YOUR PATIENCE
— DX.Exchange (@DXdotExchange) January 9, 2019
Although the security issues with the Dx.Exchange could just be teething problems during their “soft launch”, it is important that the exchange’s users exercise precaution. The initial exposure in the financial media seemed like a great thing for the exchange, but could now become a liability as they need to exercise some damage limitations.