The cryptocurrency based in Estonia and the tokenized DX.Exchange grant have established a critical vulnerability that has leaked sensitive user data.
The Ars Technica tech news website reported on the safety leak on January 9th, citing an anonymous merchant who conducted a DX.Exchange security analysis.
According to the article by Ars Technica, a trader, who wanted to remain anonymous due to legal problems, noted that the exchange was sending sensitive data from other users to their browser. After reviewing the data, the trader discovered that the data included other users' authentication tokens and password reset links:
"I collected about 100 [authentication] tokens for over 30 minutes, […] if I wanted to criminalize it, it would be very simple. "
Authentication tokens have been declared formatted in the JSON Web token standard and could easily be decrypted with the use of online tools, obtaining full names and e-mail addresses of exchange users.
According to Ars Technica, the trader explained that tokens could grant access to their associated accounts, provided that the user did not manually log out after the token was leaked.
The trader also reported having found a way to permanently backdoor an account using the platform's programming interface, which would grant him access even after a user has logged off.
In addition, Ars Technica has reported that some of the access data leaked from the platform belong to site employees. The article explains the severity of the problem:
"In the event that such a token provides unauthorized access to an account with administrative privileges, the hacker may be able to download entire databases, spread the site with malware and even transfer funds from user accounts."
The same Ars Technica would have checked and confirmed the presence of the vulnerabilities discovered by the trader, obtaining what he described as a large number of authentication tokens through the programming interface available to the public.
Ars Technica has contacted DX.Exchange and, according to the article, the loss has been corrected.
In response to a request for comments from Cointelegraph, DX.Exchange claimed that the vulnerability was successfully corrected and that customer funds are completely secure. The CEO of the exchange Daniel Skowronski commented:
"We are pleased to report that the vulnerability has been corrected successfully and that no user funds have been compromised."
As Cointelegraph reported on January 3, DX.Exchange leverages Nasdaq's FAS (Financial Information Exchange) protocol and allows its users to negotiate tokenised actions of large companies, including Google, Facebook and Amazon.
[ad_2]Source link