- DX.Exchange is set to address security concerns relating to leaked customer data in a blog post Thursday
- As noted by an Ars Technica report, one trader was able to access sensitive information about the exchange’s clients
- The firm says it has “successfully patched and shut down a security vulnerability”
DX.Exchange, the Estonian-regulated digital currency exchange, announced its launch last week with much fanfare, including coverage in Bloomberg, CNBC, and The Block. DX.Exchange offers cryptocurrency trading and is provided with trading technology by Nasdaq, a source at Nasdaq confirmed.
Now, the exchange — which offers trading of tokenized stock of Apple, Facebook, and other tech companies — has come under fire for questionable security practices. As reported by Ars Technica, the company’s site leaked “oodles of account login credentials and personal user information” to one trader. DX.Exchange is set to post a blog addressing the criticisms, which the firm shared exclusively with The Block.
“DX.Exchange reports that it has successfully patched and shut down a security vulnerability, resulting from an authentication token error,” the firm writes, addressing the claims in the Ars Technica piece. “The exchange responded immediately, by introducing a security patch, preventing any threat to users and their funds.”
The report highlights one trader’s experience, who said he checked his Google Chrome account after opening an account with DX.Exchange and noticed that the site was sending him sensitive user information, including authentication tokens that provided him access to other accounts. “The trader also figured out a way to permanently backdoor a compromised account by using a site programming interface,” the report said. “That way, even if the rightful holder eventually logs out, the attacker continues to have access.” Essentially, the trader was sitting in their accounts and had full trading access, but it is not clear if he could withdrawal.
“The security issue was reported to DX.Exchange directly by a journalist via a non-official support channel,” the firm said. “DX.Exchange was able to respond in time and fix the bug before any actual damage occurred.”
Still, one expert said the company didn’t respond quickly enough. “I expect a smaller company (especially a newer one) to respond very quickly to things like this,” Justin Baugh, VP, Development Operations at EPIX, said.
“Eight hours for confirmation of this scale of breach is also a little long,” he added. “Given the sensitive nature of the data they store it borders on professional incompetence. I have always found it interesting how a civil engineer can lose their PE license if a bridge they build comes crashing down – yet we let software engineers make the same mistakes over and over, at scale, with very often no consequences involved – except for the users.”
Sharing a Wall Street perspective, Joe Saluzzi, cofounder of Themis Trading, a U.S. broker, described the situation as a “disaster.”
“But I’m sure the Estonian regulators are all over this,” he said sarcastically.
DX.Exchange CEO Daniel Skowronski said the firm’s customer funds were “always safe.”
“Our launch was met with a stellar response from our community eager to trade cryptocurrencies and digital stocks. Customer funds were always safe, our multi layer advanced monitoring and defense mechanism was able to avoid any further issue,” he said in a blog post.