The trading platform for security tokens, DX.Exchange, announced a fix for a security vulnerability that allowed anyone to gain access to user authentication tokens.
DX.Exchange, launched on Monday, offers cryptocurrency tokens representing shares of a number of companies listed on the Nasdaq exchange. The platform uses a matching mechanism and a protocol for exchanging financial information of the famous stock exchange that works with shares of high-tech companies.
However, during the first days after launch, it was discovered that at DX.Exchange it was possible to gain access to sensitive data, including password reset links. This was reported yesterday by Ars Technica, which in turn received information from an anonymous trader. It is unclear how many user accounts could have been compromised, although, according to the source of the publication, he collected “about 100 tokens within 30 minutes”. An experienced trader was not difficult to understand the mechanisms for working with user information used on the exchange, and the findings were the most disappointing.
“If you want to use it for criminal purposes, it will be super-easy,” said the source Ars Technica.
He explained that the exchange’s response to the request turned out to be “various types of extraneous data”, which in fact became the key to other users’ confidential information. The editors followed the trader’s example, following the data exchange with the platform, and finally confirmed: it was possible to collect “a large number” of authentication tokens. Turning to e-mail to the users of the “eight randomly chosen tokens”, the journalists received a response from one of them, who said that he actually registered on the stock exchange an hour earlier.
In the DX.Exchange statement, which followed the technical work announced by the exchange to “improve functionality” and “fix a few bugs,” the problem was described as “an error in authentication tokens.” However, the exchange insists that the vulnerability was removed in a short time – before the users could be harmed.
“We are happy to report that the vulnerability was successfully eliminated, and user funds were not compromised … User funds were always safe, our multi-level advanced monitoring and protection mechanism were able to prevent any problem that could arise in the future,” said CEO Daniel Skowronski .
He also thanked the journalist Ars Technica, who addressed the exchange specialists in a timely manner. As noted in the statement, any developer who discovers bugs in the future can report them to the exchange directly using a special reward program.