Posted on

Report: Critical Vulnerabilities Leaking User Data Found on DX.Exchange, Patched Later

Estonia-based cryptocurrency and tokenized stock exchange DX.Exchange has reportedly patched a critical vulnerability that leaked sensitive user data.

Estonia-based cryptocurrency and tokenized stock exchange DX.Exchange has reportedly fixed a critical vulnerability that leaked sensitive user data.

Technology news website Ars Technica reported on the security leak Jan. 9, citing an anonymous trader who conducted a security analysis of DX.Exchange.

According to Ars Technica’s article, a trader, who wished to remain anonymous due to legal concerns, noticed that the exchange was sending sensitive data of other users to their browser. After examining the data, the trader has reportedly found that the data included other users’ authentication tokens and password reset links:

“I have about 100 collected [authentication] tokens over 30 minutes, […] if you wanted to criminalize this, it would be super easy.”

The authentication tokens were reportedly formatted in the JSON Web token standard and could be easily decoded with the use of online tools, obtaining full names and email addresses of the exchange’s users.

According to Ars Technica, the trader has explained that the tokens could grant access to their associated accounts, as long as the user hasn’t manually logged out after the token was leaked.

The trader has also reportedly found a way to permanently backdoor an account by using the platform’s programming interface, which would grant them access even after a user has logged out.

Furthermore, Ars Technica reported that some of the login data leaked by the platform belongs to the employees of the site. The article explains the severity of the issue:

“In the event that such a token gave unauthorized access to an account with administrative privileges, the hacker might be able to download entire databases, seed the site with malware, and possibly even transfer funds out of user accounts.”

Ars Technica itself has reportedly checked and confirmed the presence of the vulnerabilities discovered by the trader, obtaining what it described as a large number of authentication tokens through the publicly available programming interface.

Ars Technica contacted the DX.Exchange, and according to the article, the leak has now been fixed. However, the company declined to comment on its intentions to warn the users about the now-patched vulnerability:

“Ars sent a response asking if DX.Exchange planned to reset all user tokens or passwords and to notify users that a leak exposed their names and email addresses. So far, the officials have yet to respond.”

As Cointelegraph reported Jan. 3, DX.Exchange leverages Nasdaq’s Financial Information Exchange (FIX) protocol and allows its users to trade tokenized stocks of major companies, including Google, Facebook and Amazon.

As of press time, DX.Exchange has not responded to Cointelegraph’s request for commentary.

Posted on

Crypto Price Tracker Poses Malware Threat for Macs: Report

A cryptocurrency ticker application called CoinTicker appears to be installing two backdoors on Apple Macs, cybersecurity firm Malwarebytes warned Monday.

The app downloads and installs parts of two different pieces of malware – EvilOSX and EggShell – both of which are backdoor applications that can be used to log keystrokes, steal data or execute certain commands. Malwarebytes director of Mac and Mobile Thomas Reed wrote that it is possible the malware was designed to steal cryptocurrency keys.

CoinTicker acts as a legitimate application designed to present the price of a selected cryptocurrency on request. The user installing the app can choose between bitcoin, ethereum, monero, zcash and others, according to a screenshot. However, the app also installs EvilOSX and EggShell in the background.

The app does not require root or other elevated permissions, meaning the user likely will not see any sign of infection.

It’s unclear what specifically the app’s creators want, but Reed noted that “it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.”

The fact that the malware is distributed through a cryptocurrency app supports this theory, he wrote.

Malwarebytes for Mac now looks for the CoinTicker app, as well as its malware components, he added.

MacBook Pro image via blackzheep / Shutterstock

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.