Cryptocurrency ICOs have been a pretty big security risk for some time now. Even big projects are not immune to exploits, by the look of things. One user claims he is theoretically capable of taking over any TenX account with relative ease. It is evident this is something to worry about, although it remains to be seen if this will become a big problem for its users.
The TenX user exploit is pretty interesting in many different ways. For a company raising over $80m last year, one would expect a strong focus on security overall. That does not appear to be the case, according to one report. More specifically., there appears to be an option to trick the login system on the website. Being able to bypass the rate-limiting protection is a pretty big problem.
A Major Worry for TenX Users
More specifically, it effectively allows criminals to brute force the verification code in quick succession. All one needs is an email address of a TenX user to take advantage of this issue. Once an account has been compromised, assailants can change the email address and the phone number. Additionally, improperly secured accounts allow for funds to be withdrawn without further verification.
It seems the login limit rate can be reset using a proxy or VPN. That in itself is quite worrisome, as switching IPs is not all that difficult. Even so, it would take a lot of attempts to successfully exploit this weakness. Instead, the user tried a different approach. It doesn’t involve switching IP address whatsoever, which is very worrisome. On average, it takes about 30 minutes to brute force the verification PIN code without too many problems.
This exploit has been reported to the TenX team before making it public. The issue has now been fixed, although it took some time to do so. The “hacker” also received a $3,000 bounty for his efforts, which is pretty interesting. For a bug that could have cost the company millions in stolen funds, it seems like pocket change was paid. Even so, it is good to see the issue fixed. TenX users are safe from harm, but everyone should enable maximum verification measures first and foremost.
Header image courtesy of Shutterstock