Security Alert: User Data, Login Tokens Leaked from DX.Exchange

DX.Exchange, an Estonia-based trading platform that will reportedly allow users to trade Apple, Facebook and Tesla stocks from anywhere in the world (24/7), may have serious security vulnerabilities - which could compromise large amounts of user data.

DX.Exchange’s website collects sensitive financial and legal information from its users, in order to provide trading services. According to Ars Technica, a prospective trader created a “dummy account” to check whether the DX.Exchange platform was secure.

The trader noted that when he sent DX.Exchange a trading request from his browser, the message included an “extremely long string of characters” (called an “authentication token”). The token is like a secret passphrase the website requires before allowing users to access their account. However, the user revealed that DX.Exchange had been sending responses (to the request) that included “all kinds of extraneous data.”

Sharing "Other Users' Authentication Tokens" & Personal Information

After carefully examining the data sent by DX.Exchange, the user found that the trading platform had been sharing “other users’ authentication tokens and password-reset links.”

The trader, who has reportedly asked not to be identified for security reasons, told Ars Technica:

I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy.

The tokens sent from DX.Exchange’s servers have been formatted according to the open JSON web tokens standard. Notably, the trader revealed that it’s possible to gain access to the full names and email addresses belonging to DX.Exchange users by simply plugging the leaked strings into the trading platform’s website.

Could Have Been Possible To "Download Entire User Databases"

In order to help him test whether DX.Exchange’s website was protecting customer data, the trader had turned on developer tools in his Google Chrome browser. He found that anyone who possesses a user’s token will be able to access their account. Even if the user logs out, an attacker can still access their account by using a “site programming interface”, the trader explained.

In addition to allowing unauthorized access and compromising user data, the DX.Exchange site can reportedly be exploited to obtain tokens belonging to employees of the company. If an attacker is able to gain access to an employee’s account (using tokens) that has administrative privileges, then it could be possible to download entire user databases.

It might also allow hackers to install malware on the website and transfer funds out of user accounts, the trader claims. During an interview in August 2018, Daniel Skowronski, the CEO of DX.Exchange, had said the trading platform had almost 600,000 registered users.

Was Easy To Obtain User Tokens From Exchange

Commenting on how easy it was to obtain user tokens from the exchange, the trader said:

I got tokens from the exchange itself. You can see from the account’s email address [that] it's @coins.exchange. I have pretty good confidence I could do this for a day and get an administrative token and have everything.

Notably, Coins.Exchange is the domain is used by administrative account holders working for DX.Exchange.

After DX.Exchange’s support team was informed (by Ars Technica) that the trading site had security vulnerabilities, the platform’s developers were able to fix the problem. An official statement from Ars noted:

The bug was immediately identified and suppressed the minute [we] received ... professional feedback. DX is in a Soft Launch, where we got some unexpected and positive mass attention from news media all over the world. Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.

JPMorgan Chase Accused of Fixing Metal Prices Despite Talk of Bitcoin Market Manipulation

  • Wall Street giant JPMorgan Chase's metals desk has been accused of 'thousands' of trades related to price-fixing.
  • US prosecutors have invoked RICO laws against the bank which are reserved for organized crime rings. 

While the U.S. Securities & Exchange Commission (SEC) and other regulatory bodies have been critical of bitcoin over market manipulation, new reports reveal that JPMorgan Chase is facing allegations of fixing prices for precious metals. 

JPMorgan Chase Price-Fixing

According to a report by Bloomberg on Sept. 16, U.S. prosecutors have invoked the racketeering law (RICO) against JPMorgan Chase’s metals desk, which is being described as a criminal enterprise. For nearly a decade, employees of the trading desk have allegedly engaged in thousands of illegal moves to price-fix precious metals and defraud market investors. 

Assistant Attorney General Brian Benczkowski told journalists, 

Based on the fact that it was conduct that was widespread on the desk, it was engaged in in thousands of episodes over an eight-year period -- that it is precisely the kind of conduct that the RICO statute is meant to punish.

RICO is typically reserved for only the most severe, organized crime rings, with former prosecutors calling it a bold move by the Justice Department against the bank. Prosecutors claim that more than a dozen employees participated in the scheme, with two having already pleaded guilty and cooperating with authorities. 

Crypto supporters have been quick to point out the irony in JPMorgan’s situation. Jamie Dimon, CEO of the Wall Street bank, has been one of the most vocal detractors of bitcoin over the years, famously calling the crypto-asset a “fraud” in Sept. 2017.

 

Featured Image Credit: Photo via Pixabay.com