Estonian licenzirovanie stock exchange DX.Exchange had to fix a critical vulnerability which would leak confidential user data.
The problem was discovered by one of the traders DX.Exchange, which conducted its own investigation and reported it to the technological news website Ars Technica.
The trader has noticed that the exchange sends the confidential data of other users on their browsers. After examining the data, traders found them in the authentication tokens of other users, and links to reset passwords. So, according to him, he “gathered around 100 tokens authentication for 30 minutes.”
It is also reported that authentication tokens were formatted in standard JSON web token that makes it easy to decipher them with the help of online tools, resulting in full names and the email addresses of users DX.Exchange.
The trader also explained how to use this token to access the associated account or even permanently block it.
In addition, it appeared that some of the leaked data belongs to the staff of the exchange. Ars Technica explains the seriousness of the problem in the following way:
“In the case, if the authentication token provided unauthorized access to any account with administrator privileges, the attacker could load the whole database, to fill the site with malware and even to withdraw funds from users ‘accounts”.
Ars Technica also reports that at the moment the vulnerability is fixed, and means users are not affected.
In General, it should be noted that DX.Exchange uses a Protocol of financial information exchange Nasdaq (FIX), and allows users to trade licenzirovanie securities of large companies such as Google, Facebook and Amazon.