DX.Exchange Cryptocurrency Leaks Customers’ Data and Authentication Token in a Bug
DX.Exchange, a UK-based cryptoassets exchange that also allows users to trade digitized stocks of Tesla, Apple and others, has reportedly leaked several login details of some of its customers and employees due to a bug on its platform, reports Arstechnica on January 9.
Cryptocurrency Exchange Leaks Customers’ Security Tokens
Per sources close to the matter, DX.Exchange, also known as Coins.exchange has leaked the personal details of some of its customers and employees as a result of a bug that occurred on the platform.
The vulnerability was discovered by a new trader who wanted to test the platform’s level of security.
Specifically, the user who has decided to remain anonymous in order to avoid legal charges from the company, and reportedly used the developer tools on the Chrome web browser to access the site’s source code.
Arstechnica reports that this allowed the trader to obtain the authentication token and password-reset links which DX.Exchange automatically generates for a customer. The former is a token that can only be used to access a user’s account as long as they are logged in.
User Gains Access to Inaccessible Account
Interestingly, the user was able to carry out specific manipulations which allowed him to access people’s account, even after they may have logged out. Amongst these accounts were also those of DX.Exchange employees
The repercussion of being able to access an employee’s account is that the site’s databases can be downloaded and malware can be injected into it to corrupt data, says the report.
In addition to that, the funds held within a customer’s account can easily be transferred from the one-time access to these tokens. Therefore, this does not only pose a risk to the customer’s financial and legal information but their cryptocurrency wallets as well.
Nevertheless, Arstechnica says it contacted specific users of the platform whose account information had been leaked. Although most did not respond, a final respondent said they had just joined the platform a few hours ago, and as such could be of no help.
The next course of action was to contact the exchange’s administrators who were able to detect to the bug and make fixes within hours. However, this move has been said to be suspicious since they knew where the error was and where fixes were needed.
According to the media outlet, exposing the dealings on this platform is to create awareness for users of the exchange, informing them that their data may have been compromised.
Hacks and heists are becoming quite synonymous with cryptocurrency exchanges and trading venues, a phenomenon that doesn’t have a positive impact on the growth of the crypto space.
In January 2018 BTCManager reported that half a billion dollars had been stolen from Japan’s Coincheck exchange by hackers, and in November 2018, reports emerged that BitPay’s Copay wallet had also suffered a massive attack.