Crypto exchange leaks every user’s support ticket to every other user


CyberNews recently discovered a bug affecting the cryptocurrency exchange platform Bitexlive in which support tickets were exposed to every visitor of the site via the socket. This data can be mundane or extremely sensitive, depending on the type of information being communicated between the customer and the customer support agents. 

CyberNews contacted Bitexlive via Telegram on September 28 to disclose the issue and help them resolve it. Although we have received no communication in return, the issue seems to have been fixed after we informed them. 

A request for comment was not returned by the time of publishing.

What data is being leaked?

The leaked data is related to any support ticket, which can be viewed by any visitor of the site via Bitexlive socket. When a Bitexlive user has some issue with the site, whether it’s serious or mundane, they will contact customer support and open what’s known as a support ticket — basically a summary of the situation and a request for help. With this data leak, every user on Bitexlive can see other users’ support tickets.

The leaked data includes:

  • the time of request 
  • name of the ticket creator 
  • email of the ticket creator
  • extra information, like Telegram handle or addresses
  • full text of the ticket
  • Image locations (if attached)

Needless to say, most of the data being leaked is already sensitive. But the area for most worry is the “full text of the ticket,” which can contain very sensitive information depending on the type of problem being discussed with customer support.

This can also include KYC, or Know Your Customer, data required by many cryptocurrency exchanges, which includes official identification documents like passports, driver’s licenses, and national IDs.

Below is a sample of the kind of data that we were able to see:

f3 FSwL4NKgybEMKbhpewAvOLIe6asPSgfaozKQbipu tkUrGhkgNI GvqtVI0CL7xELFqq1F 2fY

The data was being sent to every visitor of Bitexlive, so anyone with minimal technical knowledge could view this data.

Who is the company behind the vulnerability?

Bitexlive is a cryptocurrency exchange platform that is based in Turkey. Besides claiming the usual 24/7 support, secure storage and two-factor authentication, their website also claims that they put “Security First.”

However, while the vulnerability we discovered was not critical, it still reflects poorly on a financial services provider. Unfortunately, while Bitexlive seems to have used our vulnerability disclosure to patch their issue, they responded to neither our initial disclosure nor any of our follow-up requests for comment.

According to CoinGecko, Bitexlive has a daily trading volume of about $19 million, and has a trust score of 4/10.

What’s the impact of the vulnerability?

At the moment, with the limited knowledge that we have of the situation due to Bitexlive’s lack of communication, it is unknown for exactly how long the vulnerability had remained and how many people may have accessed this information.

Nonetheless, the kind of information that was exposed can be used for targeted phishing campaigns against Bitexlive users. Depending on the type of information that was being shared in these private support tickets, victims can potentially have their KYC data leaked.

With that, cybercriminals can commit identity theft on these victims, possibly taking out loans or credit cards in their names, or even using the information for social engineering and other purposes.

Next steps

If you are or have been a user of Bitexlive, there’s a chance that your data has been exposed. Therefore, we recommend you:

  1. Review your messages with Bitexlive support in your mailbox to see if you’ve shared sensitive information
  2. Set up identity theft monitoring to make sure your finances are safe
  3. Keep an eye out for phishing or other suspicious emails or messages, and avoid clicking on links from suspicious emails



Source link

Recent articles

Watergate Led to Reforms. Now, Would-Be Reformers Believe, So Will Trump.

Among their ideas:Revise the authorization of force passed after Sept. 11, 2001, to prohibit humanitarian military intervention without additional votes by Congress and...

PlayStation Camera Adaptor Packaged in New PSVR Bundles in Japan

PlayStation VR works with PlayStation 5, Sony confirmed previously. However, PS4’s Camera requires an adaptor for playing PSVR titles on PS5, and the new PS5...

‘I Came From Nothing’: An Undocumented Writer Defies the Odds

I came from nothing. I created all of this world myself, just like my parents as immigrants created a world themselves. These kids...

At the end of the month, my son asks me to pay his rent and says, ‘You don’t want us to be evicted do...

My adult son lost his job when he became disabled. He is married with one child. His wife — who has degrees in...

Compositing and Scene Referred Data

Peetie writes: A tutorial about compositing in Blender while respecting the scene linear data. I would say it's a video on intermediate level, because...

2K Responds To NBA 2K21 Unskippable In-Game Ad Backlash

Earlier this week, 2K was in the hot seat once more when NBA 2K21 players noticed unskippable ads that prevented them from making...

Leave a reply

Please enter your comment!
Please enter your name here