DX.Exchange, a platform that allows cryptocurrency trading and the trading of tokenized conventional US stocks, was hit by major security breach just after its January 7 launch.
A savvy trader decided to test the new platform's security. After some initial digging, he turned on developer tools inside his Google Chrome browser. That's when things started to go awry.
An authentication token is a long string of characters sent by each user's browser to the website in question when they wish to access their account. When the trader's authentication token was received by DX.Exchange, the site sent back responses that were valid but included extra, highly sensitive data, including other users' authentication tokens and password-reset links.
The anonymous trader told Ars Technica: "I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy."
The tokens were formatted in an open standard called JSON Web tokens. The trader could identify the names and email addresses of DX.Exchange users by taking the leaked data and using a website to decode it. The trader confirmed that anyone with an authentication token could gain access to affected accounts unless the user manually logged out after the token was leaked. Further, even if a user did log out, a potential attacker could retain access to the compromised DX.Exchange account by using a site programming interface.
Some of the leaked tokens also appeared to belong to DX.Exchange employees. The trader was confident that if he continued to dig, he could obtain an administrative token that would give him access to everything. Ars Technica confirmed the trader's story by mimicking his steps to gain access to authentication tokens themselves.
The trader did not reveal if he was able to perform a transaction in a DX.Exchange user account when he gained access.
DX.Exchange attributed the issues to the high number of users accessing the site: "Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time."
The leak was apparently fixed the day after it was discovered; DX.Exchange published a blog post on January 10 in response to the security issue:
"DX.Exchange reports that it has successfully patched and shut down a security vulnerability, resulting from an authentication token error. The exchange responded immediately, by introducing a security patch, preventing any threat to users and their funds."
CEO Daniel Skowronski thanked the "vigilant" reporter for calling attention to the breach, adding: "Customer funds were always safe, our multi layer advanced monitoring and defense mechanism was able to avoid any further issue."
DX.Exchange also confirmed it now has a bug bounty program where developers can report bugs and "receive discretionary compensation."
Ars Technica, however, raised a number of concerns over the security protocols for the DX.Exchange site:
"Besides the leak itself, there's also the sloppiness of its token system. Best practices call for authentication tokens to be time stamped and then signed with a private encryption key each time a user sends it to a site. This prevents what are known as replay attacks, in which hackers gain unauthorized access to an account by copying the user's valid Web request and pasting it into a new, fraudulent request."
Although the breach did not appear to result in any loss of funds for DX.Exchange users, the discovery of such a significant security issue hard on the heels of a new product launch is bound to affect the reputation of the exchange.