- Turkish crypto-exchange ‘Bitexlive’ has exposed highly sensitive user data to any visitor of the site.
- The information comes from support tickets, so it includes PII, KYC documents, and other details.
- The platform never responded to the reporters and hasn’t sent notifications to the exposed users.
Researchers from the CyberNews team have discovered a serious blunder on the Turkish cryptocurrency exchange platform ‘Bitexlive.’ Due to a configuration error, user support tickets were exposed to every visitor of the site via the socket, so depending on what the users exchanged with the support agents of the platform, the exposure level and severity varies. In most cases, though, the support tickets concern sensitive information that could be used to compromise the users.
Bitexlive offers 24/7 support, two-factor authentication, and secure storage, but the bug that CyberNews investigators found should be trivial for the website’s operators to discover and fix. When informed about it by the publication, they quickly proceeded to fix it, but never answered to the researchers to thank them or assure them that the userbase would be notified of what happened. This just adds another reason not to trust the platform, as the lack of transparency combined with a lack of security is a dangerous mix.
By looking at data samples, the researchers found the following things:
- The time of request
- Name of the ticket creator
- Email of the ticket creator
- Extra information, like Telegram handle or addresses
- Full text of the ticket
- Image locations (if attached)
Of all the above, the “full text of the ticket” is the worst kind, as this is where highly sensitive PII and documents may be shared as “Know Your Customer” and identity validation proof. There, one could potentially find passports, national IDs, and driver’s licenses.
According to ‘CoinGecko,’ the daily trading volume on Bitexlive is estimated to about $19 million, so this is not a minor platform we’re talking about. Also, accessing the exposed data wouldn’t require amazing hacking skills, but only minimal technical data.
Thus, if you are a user of Bitexlive, you are advised to do the following:
- Review your communication with the support team and determine if you have shared any sensitive information through this channel.
- Set up an identity theft monitoring service that covers the dark web too.
- Watch out for incoming phishing and scamming attempts via email, and don’t click on links and embedded buttons.
- The ‘Strava’ Fitness App Exposes User Data to Nearby Strangers
- ‘FabFitFun’ Subscribers Have Had Their ‘PayPal’ and ‘Apple Pay’ Credentials Stolen
- Visa Warns Hospitality Merchants of Nasty POS Malware Infection