Newly-launched tokenized trading platform, DX.Exchange has serious security issues which can easily jeopardize its users' sensitive data and funds if it falls into malicious hands.
An online trader whose identity remains a secret for legal reasons ran some checks on the newly launched Dx.Exchnage platform and found out that the site was leaking some sensitive legal and financial data, which puts users’ sensitive data, even their funds in danger.
According to the trader, he created a dummy account as he still wanted to see the platform’s robustness as well as ensure the security level, since it collects a fair amount of users’ sensitive information, such as financial and legal data.
Soon after turning on the developer tool in the Google Chrome browser to explore further, he found out some shocking details.
The information on the browser contained password-reset links from other users’ tokens as well, and also the authentication token that a user needs to access their account. The tokens are formatted using an open standard called JSON Web Tokens, which leaves it open to those who have enough skill that could easily obtain email addresses and the full names of the token’s owners.
“I have about 100 collected tokens over 30 minutes,” he said. Anyone with enough skill to know about this site could easily see the full names and email addresses of DX.Exchange users the tokens belong to.
“If you wanted to criminalize this, it would be super easy,” he continued.
Although this discovery was already bad enough, the anonymous trader unearthed even more security issues with the Dx.Exchange platform. The leak endangered the entire system as token data belonging to employees of the company was also accessible.
Then trader allegedly informed Dx.Exchange about the issues, who within 24-hours acted by scheduling a maintenance update to “perform several bug fixes and updates.”