Priyeshu Garg · 9 hours ago · 5 min read · Insights via Vitalik Buterin
DX.Exchange, the Estonian exchange that rose to fame last week after launching tokenized U.S. equities on its platform, is facing scrutiny after a severe security vulnerability was discovered in its framework.
Twitter was alive with excitement over DX.Exchange, a platform that would offer users the ability to buy tokenized versions of popular stocks such as Apple, Tesla, and Amazon.
DX. Exchange goes live today and will support Bitcoin (BTC), Ethereum (ETH), XRP, Cardano (ADA), OmiseGo (OMG), Enigma, ShareToken, and Digibyte.
The new platform gives traders a 24-hour seven days a week access to the traditional stock market.
The beginning of the beginning
— Phillip Nunn 🚀 (@PhillipNunnUK) January 7, 2019
However, a heavy skepticism, in culmination with a security incident, has dampened the enthusiasm.
As reported by Ars Technica on Jan. 10, the highly-publicized blockchain exchange is lagging on user security by leaking “oodles of login credentials” and personal user information to computers accessing its platform. The vulnerability was first discovered by an unidentified trader analyzing the platform’s security and trading frameworks.
Estonian crypto-regulations call for businesses to practice strict AML and KYC norms while onboarding users, meaning the submission of personal information is a must for creating one’s user accounts. As a regulated business, DX.Exchange collects necessary financial and legal information about users, but seemingly fails to provide ample security measures to protect their data.
The Modus Operandi
The trader created a “dummy” account to analyze data responses between a user and the exchange’s servers. To his dismay, DX.Exchange embedded sensitive data in its “authentication token,” a long string of alphanumeric characters that validates the transfer of information. Moreover, data of other users were included in the token, exposing a grave loophole in the exchange’s user-interaction process.
The trader added:
“I have about 100 collected tokens over 30 minutes. If you wanted to criminalize this, it would be super easy.”
Technically speaking, the character string takes the form of JSON Web Tokens, an open standard that allows server access and information to users based on their claims. For example, a server can validate a token that says “logged in as admin,” and use the information to prove information transfer to a client.
Anyone in possession of a token generated by DX.Exchange can use the information to gain access to affected accounts, valid so long as victims do not log out manually from their accounts. Furthermore, the trader discovered gaining permanent “backdoor” access to affect accounts is possible by using an application programming interface (API), making accounts accessible even after victims manually log out.
While the above is a serious breach of trust and data, a more grave situation is expected if hacked tokens contain information about a DX.Exchange employee—or worse, a user with administrative access. Such access would allow the hacker to download entire databases from the private servers, install malware on the site, and even empty user accounts of their funds.
Ars Technica confirmed the hack was reported to DX.Exchange, resulting in a period of site-wide maintenance. The exchange team confirmed the vulnerability but attributed the loophole to its “soft launch” period.
A DX.Exchange official commented:
“The bug was immediately identified and suppressed the minute [we] received Ars technical feedback…. Due to the high volume of interest in our platform and heavy signups, we discovered some bugs, most are fixed, few are going under examination right now. We are confident to be able to fix them all and finalize our launch in the shortest time.”
For an exchange widely publicized by mainstream media outlets for offering U.S. equities on a blockchain-based contract, DX.Exchange has failed to provide even basic security. The instance also confirms the broader public sentiment about the blockchain and cryptocurrency industry: It’s over-hyped, has low user adoption, implements poor security practices, and is rife with scams and malpractice.