Security Alert: User Data, Login Tokens Leaked from DX.Exchange

DX.Exchange, an Estonia-based trading platform that will reportedly allow users to trade Apple, Facebook and Tesla stocks from anywhere in the world (24/7), may have serious security vulnerabilities - which could compromise large amounts of user data.

DX.Exchange’s website collects sensitive financial and legal information from its users, in order to provide trading services. According to Ars Technica, a prospective trader created a “dummy account” to check whether the DX.Exchange platform was secure.

The trader noted that when he sent DX.Exchange a trading request from his browser, the message included an “extremely long string of characters” (called an “authentication token”). The token is like a secret passphrase the website requires before allowing users to access their account. However, the user revealed that DX.Exchange had been sending responses (to the request) that included “all kinds of extraneous data.”

Sharing "Other Users' Authentication Tokens" & Personal Information

After carefully examining the data sent by DX.Exchange, the user found that the trading platform had been sharing “other users’ authentication tokens and password-reset links.”

The trader, who has reportedly asked not to be identified for security reasons, told Ars Technica:

I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy.

The tokens sent from DX.Exchange’s servers have been formatted according to the open JSON web tokens standard. Notably, the trader revealed that it’s possible to gain access to the full names and email addresses belonging to DX.Exchange users by simply plugging the leaked strings into the trading platform’s website.

Could Have Been Possible To "Download Entire User Databases"

In order to help him test whether DX.Exchange’s website was protecting customer data, the trader had turned on developer tools in his Google Chrome browser. He found that anyone who possesses a user’s token will be able to access their account. Even if the user logs out, an attacker can still access their account by using a “site programming interface”, the trader explained.

In addition to allowing unauthorized access and compromising user data, the DX.Exchange site can reportedly be exploited to obtain tokens belonging to employees of the company. If an attacker is able to gain access to an employee’s account (using tokens) that has administrative privileges, then it could be possible to download entire user databases.

It might also allow hackers to install malware on the website and transfer funds out of user accounts, the trader claims. During an interview in August 2018, Daniel Skowronski, the CEO of DX.Exchange, had said the trading platform had almost 600,000 registered users.

Was Easy To Obtain User Tokens From Exchange

Commenting on how easy it was to obtain user tokens from the exchange, the trader said:

I got tokens from the exchange itself. You can see from the account’s email address [that] it's I have pretty good confidence I could do this for a day and get an administrative token and have everything.

Notably, Coins.Exchange is the domain is used by administrative account holders working for DX.Exchange.

After DX.Exchange’s support team was informed (by Ars Technica) that the trading site had security vulnerabilities, the platform’s developers were able to fix the problem. An official statement from Ars noted:

The bug was immediately identified and suppressed the minute [we] received ... professional feedback. DX is in a Soft Launch, where we got some unexpected and positive mass attention from news media all over the world. Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.

Trans-Fee-Mining Exchanges' Market Share in Decline - Report

  • TFM exchange volume down 53% in September
  • Only 32% of crypto trading volume is TFM volume

According to the latest exchange report from CryptoCompare (September), the trade volume on “trans-fee-mining” -- or transaction fee mining (TFM) -- exchanges dropped dramatically between August and September, more than halving. The overall proportion of transaction volume in the crypto markets comprised of TFM has thus declined significantly during this period.

Overall volume by fee-typeSource: CryptoCompare

Specifically, trade volume on TFM exchanges accounted for $174 billion during September, down from $375 billion during August. The more classical taker-fee exchanges, which charge a small percentage to execute a market order, typically outdo trans-fee exchanges even if only slightly. But during September, they exchanged $358 billion, up from $355 billion in August, far out-trading TFMs.

Transaction fee mining (or “mining”) occurs when users are rewarded, rather than taxed for executing orders on an exchange. Typically, exchanges allow free trades for users posting limit orders, which are orders set at a certain price. Otherwise, if users want to buy or sell immediately at whatever the current price is, they are usually charged a small fee. The rationale here is that exchanges want as many users as possible to post orders, so that order books are nice and thick (traders like liquidity).

Trouble With Trans-Fees

The TFM exchanges go one step further by rewarding all users just for trading on their exchanges, with in-house tokens. The idea is, again, to attract more traders and thus more liquidity.

In a sense, this model is the epitome of speculation, whereby users accrue large quantities of tokens betting that they will someday be worth more. Some have claimed, however, that this incentive encourages “wash trading,” an unwelcome form of market liquidity that is actually banned in traditional, regulated markets. This is when the same entity, or colluding entities, trade back and forth with each other.

In traditional markets, this is done in order to manipulate assets’ prices and set up exploitative trades. Here, the goal would be different but the effect is still undesirable: exchanges with high transaction volume but low order book depth may result in erratic price changes on cryptoassets. CryptoGlobe tackled the question last year of whether or not this sort of trading constitutes “fake volume.”

In CryptoCompare’s June 2019 Exchange Benchmark guide (pdf available here), exchanges employing the trans-mining model were generally classified as “Lower Quality,” despite volume on such exchanges rising as a percentage of the total market at the time. It seems that the trend may be shifting again.

Featured image via Pixabay.