The bright new shiny trading site that just launched, DX.Exchange, is already tarnished. Ars Technica reports that the site has been leaking account login credentials and user information.
DX.Exchange, a digital stock exchange that deals in digital tokens or stocks based on actual shares, has stirred excitement because of the advantages it offers over traditional shares. Bloomberg writes that these shares, “can be traded even when exchanges are closed, and traders can choose to buy fractions of a share. They could also give foreign investors the ability to buy and sell U.S. shares they might otherwise struggle to access.”
Fanfare over, an online trader discovered some serious flaws after using developer tools in the Chrome browser to test the security of the exchange’s site. According to Ars Technica, in the process of sending DX.Exchange a request through his browser, he got a whole lot more information than he expected. Among the data in the DX.Exchange response were sensitive details, including other traders’ authentication tokens and password-reset links.
Writes Ars Technica, “The tokens are formatted in an open standard known as JSON Web tokens. By plugging the leaked text strings into this site, it’s trivial to see the full names and email addresses of the DX.Exchange users they belong to. Even worse, the trader used his dummy account to confirm that anyone with possession of a token can gain unauthorized access to an affected account, as long as the user hasn’t manually logged out since the token was leaked.”
Adding to the bad news, the trader also found a way to create a permanent backdoor that would allow an attacker to continue to have access even if an account holder logs out. But making matters even worse, Ars Technica reports, is that some of the leaked tokens seemed to be related to DX.Exchange’s employees. “In the event that such a token gave unauthorized access to an account with administrative privileges, the hacker might be able to download entire databases, seed the site with malware, and possibly even transfer funds out of user accounts.”
An alarming and unfortunate development for something that had such a positive start upon its debut. The site is said to have 600,000 users. DX.Exchange told Ars Technica that it was in a soft launch and the volume of positive attention it got right out of the gate was unexpected. It also said that the bug that caused the leak found by the trader had been fixed. The exchange is working to address other bugs, as well, before its final-stage launch.
Get the full story at Ars Technica.