Hot new trading site leaked oodles of user data, including login tokens
The past few days have showered plenty of favorable attention on a new trading platform called DX.Exchange, with glowing profiles by Bloomberg News and CNBC. The only problem is that the site, which allows people to trade currencies and digitized versions of Apple, Tesla, and other stocks, has been leaking oodles of account login credentials and personal user information.
A few days ago, an online trader who heard about DX.Exchange decided to check out the site to see if it might be something he wanted to use. Besides assessing the robustness of the site’s features, he also wanted to make sure it had good security hygiene. After all, the site collects a fair amount of sensitive financial and legal information about its users, and this prospective customer wanted to make sure those details wouldn’t fall into the wrong hands. So he created a dummy account and began to poke around. To get better visibility, he turned on the developer tools inside the Chrome browser.
Super easy to criminalize
Almost immediately, the trader identified a major problem. When his browser sent DX.Exchange a request, it included an extremely long string of characters, called an authentication token, which is supposed to be a secret the site requires when a user accesses her account. For some unexplained reason, DX.Exchange was sending responses that, while valid, included all kinds of extraneous data. When the trader sifted through the mess, he found that the responses DX.Exchange was sending to his browser contained a wealth of sensitive data, including other users’ authentication tokens and password-reset links.
“I have about 100 collected tokens over 30 minutes,” said the trader, who asked not to be identified because he’s concerned the site might take legal action against him. “If you wanted to criminalize this, it would be super easy.”
The tokens are formatted in an open standard known as JSON Web tokens. By plugging the leaked text strings into this site, it’s trivial to see the full names and email addresses of the DX.Exchange users they belong to. Even worse, the trader used his dummy account to confirm that anyone with possession of a token can gain unauthorized access to an affected account, as long as the user hasn’t manually logged out since the token was leaked.
The trader also figured out a way to permanently backdoor a compromised account by using a site programming interface. That way, even if the rightful holder eventually logs out, the attacker continues to have access. The trader said the site didn’t notify users when the API was invoked. He said he doubted two-factor authentication would prevent account compromises, although he conceded he didn’t test it because it required him to provide his phone number so the site could send him SMS messages.
But wait… it gets worse
Besides spilling user data and allowing unauthorized access to user accounts, the leak puts the entire security of the site in serious jeopardy because some of the leaked tokens appear to belong to employees of the site. In the event that such a token gave unauthorized access to an account with administrative privileges, the hacker might be able to download entire databases, seed the site with malware, and possibly even transfer funds out of user accounts. In an August interview, DX.Exchange CEO Daniel Skowronski said his site had close to 600,000 registered users.
“I got tokens from the exchange itself,” the trader told Ars. “You can see from the account’s email address it’s @coins.exchange. I have pretty good confidence I could do this for a day and get an administrative token and have everything.” (Coins.Exchange is the domain used by many DX.Exchange employees.)
Over the course of several hours, Ars accessed a publicly available programming interface that’s called whenever people interact with DX.Exchange. The result was the site responding with a large number of authentication tokens. Ars sent emails to users of eight randomly chosen tokens to ask if they had accounts on the site. Only one user responded, saying: “I literally signed up less than an hour ago. I may not be the best person to be talking to in regards to your story.”
Ars notified DX.Exchange officials of the leak on Tuesday afternoon. Eight hours later, a member of the site’s security team responded to ask for more details. A few hours later, officials announced a site maintenance update, but even after the site came back online, the leak continued. A little after 8am Pacific Time on Wednesday, the security team member emailed to say the bug had been fixed and thanked Ars for bringing it to his attention. A brief analysis by Ars appeared to confirm the leak was plugged.
The site official offered the following statement:
The bug was immediately identified and suppressed the minute [we] received Ars Technical [sic] professional feedback. DX is in a Soft Launch, where we got some unexpected and positive mass attention from news media all over the world. Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.
Ars sent a response asking if DX.Exchange planned to reset all user tokens or passwords and to notify users that a leak exposed their names and email addresses. So far, the officials have yet to respond.
The favorable attention showered on DX.Exchange is unfortunate, because it detracts attention from several security weaknesses that should serve as warning signs that the site may not be adequately safeguarding the tremendous amount of sensitive data it requires users to provide.
Besides the leak itself, there’s also the sloppiness of its token system. Best practices call for authentication tokens to be time stamped and then signed with a private encryption key each time a user sends it to a site. This prevents what are known as replay attacks, in which hackers gain unauthorized access to an account by copying the user’s valid Web request and pasting it into a new, fraudulent request.
Another red flag is the lack of an easy way to report security lapses to site officials. At the time this story was being reported, DX.Exchange didn’t provide any contact information for the site’s security team. It also made no mention of a bug bounty program. The trader said he ended up not knowing how to contact the company and wondering if employees would retaliate against him if he figured out a way. “The fact that I’m even scared to tell them and there’s not even a way to do it, it’s ridiculous,” he said.
Out of an abundance of caution, people who have accounts on DX.Exchange should assume their accounts have been accessed and all information entrusted to the site has been exposed. This article will be updated if more information becomes available.
