DX.Exchange, the Estonian exchange that rose to fame last week after launching tokenized U.S. equities on its platform, is facing scrutiny after a severe security vulnerability was discovered in its framework.
Twitter was alive with excitement over DX.Exchange, a platform that would offer users the ability to buy tokenized versions of popular stocks such as Apple, Tesla, and Amazon.
DX. Exchange goes live today and will support Bitcoin (BTC), Ethereum (ETH), XRP, Cardano (ADA), OmiseGo (OMG), Enigma, ShareToken, and Digibyte.
The new platform gives traders a 24-hour seven days a week access to the traditional stock market.
The beginning of the beginning
— Phillip Nunn 🚀 (@PhillipNunnUK) January 7, 2019
However, a heavy skepticism, in culmination with a security incident, has dampened the enthusiasm.
As reported by Ars Technica on Jan. 10, the highly-publicized blockchain exchange is lagging on user security by leaking “oodles of login credentials” and personal user information to computers accessing its platform. The vulnerability was first discovered by an unidentified trader analyzing the platform’s security and trading frameworks.
Estonian crypto-regulations call for businesses to practice strict AML and KYC norms while onboarding users, meaning the submission of personal information is a must for creating one’s user accounts. As a regulated business, DX.Exchange collects necessary financial and legal information about users, but seemingly fails to provide ample security measures to protect their data.
The Modus Operandi
The trader created a “dummy” account to analyze data responses between a user and the exchange’s servers. To his dismay, DX.Exchange embedded sensitive data in its “authentication token,” a long string of alphanumeric characters that validates the transfer of information.