The past few days have showered plenty of favorable attention on a new trading platform called DX.Exchange, with glowing profiles by Bloomberg News and CNBC. The only problem is that the site, which allows people to trade currencies and digitized versions of Apple, Tesla, and other stocks, has been leaking oodles of account login credentials and personal user information.
A few days ago, an online trader who heard about DX.Exchange decided to check out the site to see if it might be something he wanted to use. Besides assessing the robustness of the site’s features, he also wanted to make sure it had good security hygiene. After all, the site collects a fair amount of sensitive financial and legal information about its users, and this prospective customer wanted to make sure those details wouldn’t fall into the wrong hands. So he created a dummy account and began to poke around. To get better visibility, he turned on the developer tools inside the Chrome browser.
Super easy to criminalize
Almost immediately, the trader identified a major problem. When his browser sent DX.Exchange a request, it included an extremely long string of characters, called an authentication token, which is supposed to be a secret the site requires when a user accesses her account. For some unexplained reason, DX.Exchange was sending responses that, while valid, included all kinds of extraneous data. When the trader sifted through the mess, he found that the responses DX.Exchange was sending to his browser contained a wealth of sensitive data, including other users’ authentication tokens and password-reset links.