DX.Exchange leaks sensitive data

According to an anonymous cryptocurrency trader, the new trading platform DX.Exchange is not secure and leaks all kinds of sensitive and personal data from users, according to Ars Technica on 9 January.

DX.exchange, a new cryptocurrency exchange that Crypto Insiders already wrote about, enables trading in shares of companies like Apple and Tesla using digital tokens. This means that you can also trade in these shares when the stock exchanges are closed.

The anonymous trader would have created a dummy account and used the developer tools in the Chrome internet browser to see where the problems are.

To gain access to an account on the website an authentication token is sent, but the trader noticed that there is a lot of extra data, including the authentication tokens of other users and links to reset passwords.

“I have collected about 100 tokens for 30 minutes, and if you wanted to criminalize this, it would be super simple.”

Thus the trader, who asked not to be identified because he feared that the site would take legal action against him. It was also noticed that some of the leaked tokens belong to the employees of the website. This would allow access to the entire website, to transfer its databases and possibly even money from user accounts.

“I got tokens from the exchange itself, you can see from the email address of an account that it’s an @ coins.exchange, I’m pretty confident that I can do this for a day and get an admin token and everything could get.”

Coins.Exchange is the domain used by many DX.Exchange employees. In the meantime the website would have been serviced, but that does not seem to have solved the problem yet.

The Exchange says it is currently in a soft launch and has not expected as much attention as it has received.