DX.Exchange updates code to patch security hole

Getting your Trinity Audio player ready...

A serious security flaw on the DX.Exchange security token trading platform would have allowed anyone to access the authentication tokens of the exchange’s users. It was potentially a bad omen for the exchange, which only went live this past Monday. Fortunately, before the problem became too severe, the company was able to create a patch for the flaw and update its servers to provide better user protection.

The exchange provides crypto tokens, representing shares in several firms that are traded on the NASDAQ exchange. It incorporates NASDAQ’s matching engine, as well as its financial information exchange protocol, in order to facilitate the trading of those shares.

Not long after turning on its lights, DX.Exchange inadvertently revealed sensitive data that included, among other things, password reset links. It hasn’t been determined, or at least not been made public, the number of user accounts that may have been affected, but one trader told Ars Technica that he had been able to collect “about 100 tokens over 30 minutes.” Ars confirmed the vulnerability, stating that it, too, had been able to collect “a large number” of authentication tokens.

The security issue had first been reported to the exchange by a journalist. It was later determined that the flaw not only compromised external users, but internal employee accounts, as well. This, if the information had fallen into the wrong hands, could have allowed the exchange’s entire databases to be stolen. The exchange reportedly has around 600,000 registered users.

The exchange acknowledged that the security hole was due to “an authentication token error,” adding that the flaw was patched before any serious damage was possible. The company’s CEO, Daniel Skowronksi, added in a statement that user funds were never at risk, asserting, “We are happy to report that the vulnerability has been successfully patched, and no user funds were compromised … Customer funds were always safe, our multi layer advanced monitoring and defense mechanism was able to avoid any further issue.”

Going forward, DX.Exchange hopes the crypto community will help it clean up its software code. The company’s statement adds that any developer who finds a vulnerability can make a report to the exchange through its bug bounty program.