You might want to question putting your money into a new trading platform that can’t even spring for a good translator.
Or, as DX.Exchange put it on its site:
Digital Stocks , How its works?
If only that were the biggest problem of the platform, which allows people to trade currencies and “digitized” versions of Apple, Tesla, and other stocks. A few days ago, a curious trader wanted to see how robust the platform is, along with how well it protects users’ sensitive financial and legal information.
So, as Ars Technica tells it, the trader set up a dummy account and started to explore, using the Chrome browser’s developer tools to get better visibility into the platform’s inner workings.
And lo! What a hot mess he encountered therein.
According to Ars, the trader discovered that HTTP responses from the platform included a tangled spaghetti of extraneous data, including other users’ authentication tokens, plus password-reset links.
When you log in to a website you hand over your password and the website gives you an authentication token in return. Until you log out, your browser will hand back the authentication token with each subsequent page request to show that the request is coming from you.
The token is supposed to be kept secret from everyone but you and the website (because it’s as good as a password), and it’s protected from snooping as it travels back and forth between your browser and the website by TLS (Transport Layer Security).
That protection is worthless though if your token gets sent to somebody else. If a bad actor ends up with your token, and you haven’t logged out by the time they get it, then they have the same access to your account that you do.
In this case the trader was also able to open a permanent backdoor into a compromised account by enabling API access on it.
The trader requested anonymity, fearful of the company taking legal action against him. As it is, he couldn’t even find a way to contact the company’s security team – or anybody, for that matter, though Ars obviously did get through – nor any mention of a bug bounty program. Ars quoted him:
The fact that I’m even scared to tell them and there’s not even a way to do it, it’s ridiculous.
It gets worse
Ars Technica Security Editor Dan Goodin says that the publication confirmed what the trader was reporting. The site’s tokens (which followed the JSON Web Tokens standard) were easily decoded to discover the full names and email addresses of DX.Exchange users contained within.
By examining the contents of the tokens, the trader established that the data leaking from the site included employees’ tokens:
You can see from the account’s email address it’s @coins.exchange [which is a domain used by many of the platform’s employees]. I have pretty good confidence I could do this for a day and get an administrative token and have everything.
In other words, a patient attacker who was prepared to wait until the site sent them a token for a highly privileged user could have been a threat to the entire platform, not just individual accounts.
Goodin speculates that with unfettered access an attacker might have been able to spike the site with malware, download its user data or drain the funds of its 600,000 registered users.
Ars gave DX.Exchange officials a heads-up on Tuesday afternoon and, after a short delay and a false start, the leak was finally plugged shortly after 8am Pacific Time on Wednesday.
The leak itself was one thing. But Goodin noted a slew of red flags beyond that, including the site’s sloppiness with tokens:
Besides the leak itself, there’s also the sloppiness of its token system. Best practices call for authentication tokens to be time stamped and then signed with a private encryption key each time a user sends it to a site. This prevents what are known as replay attacks, in which hackers gain unauthorized access to an account by copying the user’s valid Web request and pasting it into a new, fraudulent request.
The fact that there was no clear way to report a security problem was another red flag.
We can scarcely blame the trader who found the leaks for wanting to keep a low profile and keep his name and phone number away from DX.Exchange. Companies with security holes don’t always respond with an abundance of gratitude.
The St Jude vs MedSec debacle comes to mind. St Jude, the pacemaker company, sued IoT security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment… life-threatening bugs that it nonetheless went on to patch, mind you.
We need all the help we can get from ethical hackers who responsibly disclose vulnerabilities, and they shouldn’t be scared away by fears of retribution over ethical disclosure. That’s just one hurdle they face; as it is, their talents are being tempted away by ever-fatter bounties from zero-day buyers, and lawmakers have on multiple occasions proposed punitive anti-hacking laws.
The very least that ethical vulnerability disclosers should be able to expect is a clear way to disclose.
Bear in mind that being in “beta” mode, as DX.Exchange says it is, is no excuse for poor security hygiene. To paraphrase one reader’s comment on Ars’s coverage, if a site’s taking your money like it’s full-release, it can’t expect to be held to beta-stage obligations.