According to Ars Technica’s article, a trader, who wished to remain anonymous due to legal concerns, noticed that the exchange was sending sensitive data of other users to their browser. After examining the data, the trader has reportedly found that the data included other users’ authentication tokens and password reset links:
“I have about 100 collected [authentication] tokens over 30 minutes, […] if you wanted to criminalize this, it would be super easy.”
The authentication tokens were reportedly formatted in the JSON Web token standard and could be easily decoded with the use of online tools, obtaining full names and email addresses of the exchange’s users.
Furthermore, Ars Technica reported that some of the login data leaked by the platform belongs to the employees of the site. The article explains the severity of the issue:
“In the event that such a token gave unauthorized access to an account with administrative privileges, the hacker might be able to download entire databases, seed the site with malware, and possibly even transfer funds out of user accounts.”
ArsTechnica itself has reportedly checked and confirmed the presence of the vulnerabilities discovered by the trader, obtaining what it described as a large number of authentication tokens through the publicly available programming interface.
ArsTechnica contacted the DX.Exchange, and according to the article, the leak has now been fixed. However, the company declined to comment on its intentions to warn the users about the now-patched vulnerability: