In what will come as a huge shock to the British crypto asset trading industry, DX.Exchange has revealed that a bug in its system has been causing customer data and authorization (auth) tokens to be leaked from the exchange. Fortunately, just hours after the bug was reported a patch was released, as such the data leaks have ended – for now at least.
A Secret Scandal on the Cards
The user that identified the bug reportedly managed to gain access to the auth tokens by using the source code viewer in Google Chrome. Once the user had access to the auth tokens, they could then login as anyone who the discovered auth token belonged to – including DX.Exchange employees. From there, the customer was able to access exchange funds and customer data – meaning if the customer was a bad actor, they could have injected the malware into the database to steal all funds and customer data.
However, when it was brought to the attention of the exchange, it admitted to knowing the bug was there and knew exactly where the bug was located. Whether the exchange knew about the bug and was in the process of fixing it or a rogue developer added it in exchange for money is still unclear. This data leak could be the subject of a UK regulatory probe in the coming weeks, and if it’s found to be the latter there could be serious ramifications for DX.Exchange.
Hackers Here, There, and Everywhere
Hacks are worryingly becoming more commonplace. In 2018 alone, more than 50 exchanges were attacked by hackers, causing millions of dollars in crypto to go missing. During September, Zaif – a Japanese crypto exchange – was hacked to the sum of more than $60 million. The Zaif fallout caused the owners to sell a majority stake in the firm to Fisco Digital Asset Group (FDAG) in order to pay back investors.
New Breeds of Hacks Taking Place
Beyond the normal realm of hacks that take place on a weekly basis, a new breed of hacker is emerging from the shadows. One hacking group managed to access Trade.io’s cold storage and empty the exchange’s reserves. In order to do this, it had to access codes that were permanently kept offline and stored in a bank’s safety deposit box. This hack has baffled industry experts and it’s still unclear how the hackers managed to pull off something so audacious.
Leaking customer data and auth tokens is never a good thing, and there is a high chance that regulators will come down hard on DX.Exchange. It will likely be hit with a fine and in a worst-case scenario could be forced to allow regulators to inspect the exchange further frequently. For now, the issue has been resolved, but it will have badly damaged investor confidence.