ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Tuesday Jan 22nd 2019
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

New DX.Exchange Fixes Security Vulnerability That Exposed User Data

By

Melanie

Kramer

WriterETHNews.com

The tokenized securities trading platform, launched just this week, was quickly subject to a major security snafu.

DX.Exchange, a platform that allows cryptocurrency trading and the trading of tokenized conventional US stocks, was hit by major security breach just after its January 7 launch.

A savvy trader decided to test the new platform's security. After some initial digging, he turned on developer tools inside his Google Chrome browser. That's when things started to go awry.

An authentication token is a long string of characters sent by each user's browser to the website in question when they wish to access their account. When the trader's authentication token was received by DX.Exchange, the site sent back responses that were valid but included extra, highly sensitive data, including other users' authentication tokens and password-reset links.

The anonymous trader told Ars Technica: "I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy."

The tokens were formatted in an open standard called JSON Web tokens. The trader could identify the names and email addresses of DX.Exchange users by taking the leaked data and using a website to decode it. The trader confirmed that anyone with an authentication token could gain access to affected accounts unless the user manually logged out after the token was leaked. Further, even if a user did log out, a potential attacker could retain access to the compromised DX.Exchange account by using a site programming interface.

Some of the leaked tokens also appeared to belong to DX.Exchange employees. The trader was confident that if he continued to dig, he could obtain an administrative token that would give him access to everything. Ars Technica confirmed the trader's story by mimicking his steps to gain access to authentication tokens themselves.

The trader did not reveal if he was able to perform a transaction in a DX.Exchange user account when he gained access.

DX.Exchange attributed the issues to the high number of users accessing the site: "Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time."

The leak was apparently fixed the day after it was discovered; DX.Exchange published a blog post on January 10 in response to the security issue:

"DX.Exchange reports that it has successfully patched and shut down a security vulnerability, resulting from an authentication token error. The exchange responded immediately, by introducing a security patch, preventing any threat to users and their funds."

CEO Daniel Skowronski thanked the "vigilant" reporter for calling attention to the breach, adding: "Customer funds were always safe, our multi layer advanced monitoring and defense mechanism was able to avoid any further issue."

DX.Exchange also confirmed it now has a bug bounty program where developers can report bugs and "receive discretionary compensation."

Ars Technica, however, raised a number of concerns over the security protocols for the DX.Exchange site:

"Besides the leak itself, there's also the sloppiness of its token system. Best practices call for authentication tokens to be time stamped and then signed with a private encryption key each time a user sends it to a site. This prevents what are known as replay attacks, in which hackers gain unauthorized access to an account by copying the user's valid Web request and pasting it into a new, fraudulent request."

Although the breach did not appear to result in any loss of funds for DX.Exchange users, the discovery of such a significant security issue hard on the heels of a new product launch is bound to affect the reputation of the exchange.

Melanie Kramer

Melanie Kramer is a freelance FinTech, blockchain, and cryptocurrency writer based between France and Canada. Melanie has studied, and retains an avid interest in, global politics, business, and economics.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest DX.Exchange, security vulnerability or other Ethereum wallets and exchanges news.