DX.Exchange Claims It Has Fixed Serious Security Weaknesses Detected on the Platform
Originally published on: CoinSpeaker
Read the original article
January 11, 2019
The issues of data and assets security remain among the most important ones within the crypto space. Though it’s always better to prevent any potential security vulnerability, if it has been detected, it is very important to react timely and not to let funds be affected.
CoinSpeaker has already reported that DX.Exchange positions itself as a revolutionary Estonia-based cryptocurrency exchange that offers its users a possibility to trade tokenized Nasdaq stocks and cryptocurrencies on the same platform.
The platform that went live on Monday is said to utilize Nasdaq’s matching engine and financial data exchange protocol to ensure the trading of these digital securities.
Nevertheless, in its first few days, the security vulnerability was detected and reported by the tech news website Ars Technica. According to the crypto media, a trader, who preferred to stay unnamed due to the nature of the situation, conducted a security analysis of DX.Exchange.
In the framework of this analysis, he found out that some sensitive data of the exchange’s users were being sent to their browser. And the main problem was that the data leaked contained users’ authentication tokens and password reset links.
Given the fact the tokens are formatted with the help of an open standard known as JSON Web Tokens, they can be easily accessed by everyone who could get the full names of token holders and their email addresses.
“I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy”, concluded this anonymous trader.
He also said that knowing the above-mentioned weak points of the platform, fraudsters could easily gain access to the accounts not only if their owners hadn’t logged out but also even if they had done it.
Nevertheless, it didn’t take long (just less than a day) for DX.Exchange to report that they had fixed their critical vulnerability that leaked sensitive user data adding that no user funds had been affected.
In his statement, Daniel Skowronski, CEO of DX. Exchange, said:
“We would like to thank the vigilant reporter, and our supportive community, who together, brought this issue to our attention. We are happy to report that the vulnerability has been successfully patched, and no user funds were compromised. Our launch was met with a stellar response from our community eager to trade cryptocurrencies and digital stocks. Customer funds were always safe, our multi layer advanced monitoring and defense mechanism was able to avoid any further issue.”
DX. Exchange also invited any developers who would discover bugs in the future to inform the exchange directly using a special Bug bounty program. It is strongly believed that this program will help to fix all vulnerabilities (if any) timely without letting them cause harm to users’ funds.