Security Alert: User Data, Login Tokens Leaked from DX.Exchange

DX.Exchange, an Estonia-based trading platform that will reportedly allow users to trade Apple, Facebook and Tesla stocks from anywhere in the world (24/7), may have serious security vulnerabilities – which could compromise large amounts of user data.

DX.Exchange’s website collects sensitive financial and legal information from its users, in order to provide trading services. According to Ars Technica, a prospective trader created a “dummy account” to check whether the DX.Exchange platform was secure.

The trader noted that when he sent DX.Exchange a trading request from his browser, the message included an “extremely long string of characters” (called an “authentication token”). The token is like a secret passphrase the website requires before allowing users to access their account. However, the user revealed that DX.Exchange had been sending responses (to the request) that included “all kinds of extraneous data.”

Sharing “Other Users’ Authentication Tokens” & Personal Information

After carefully examining the data sent by DX.Exchange, the user found that the trading platform had been sharing “other users’ authentication tokens and password-reset links.”

The trader, who has reportedly asked not to be identified for security reasons, told Ars Technica:

I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy.

The tokens sent from DX.Exchange’s servers have been formatted according to the open JSON web tokens standard. Notably, the trader revealed that it’s possible to gain access to the full names and email addresses belonging to DX.Exchange users by simply plugging the leaked strings into the trading platform’s website.

Could Have Been Possible To “Download Entire User Databases”

In order to help him test whether DX.Exchange’s website was protecting customer data, the trader had turned on developer tools in his Google Chrome browser. He found that anyone who possesses a user’s token will be able to access their account. Even if the user logs out, an attacker can still access their account by using a “site programming interface”, the trader explained.

In addition to allowing unauthorized access and compromising user data, the DX.Exchange site can reportedly be exploited to obtain tokens belonging to employees of the company. If an attacker is able to gain access to an employee’s account (using tokens) that has administrative privileges, then it could be possible to download entire user databases.

It might also allow hackers to install malware on the website and transfer funds out of user accounts, the trader claims. During an interview in August 2018, Daniel Skowronski, the CEO of DX.Exchange, had said the trading platform had almost 600,000 registered users.

Was Easy To Obtain User Tokens From Exchange

Commenting on how easy it was to obtain user tokens from the exchange, the trader said:

I got tokens from the exchange itself. You can see from the account’s email address [that] it's @coins.exchange. I have pretty good confidence I could do this for a day and get an administrative token and have everything.

Notably, Coins.Exchange is the domain is used by administrative account holders working for DX.Exchange.

After DX.Exchange’s support team was informed (by Ars Technica) that the trading site had security vulnerabilities, the platform’s developers were able to fix the problem. An official statement from Ars noted:

The bug was immediately identified and suppressed the minute [we] received … professional feedback. DX is in a Soft Launch, where we got some unexpected and positive mass attention from news media all over the world. Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.