WEB3

OKX Reportedly Has ‘Serious Shortcomings’ in Security Settings

by BSCN

June 10, 2024

Blockchain reporter Wublockchain revealed serious security flaws in OKX's system, including the ability to bypass Google Authenticator verification.

Wu Blockchain, an independent blockchain journalist, reported shortcomings in security settings in the crypto exchange, OKX.

OKX recently suffered a significant security breach involving its SMS notification system.

关于今日网络反馈的“交易所用户资产被盗”情况我们十分重视，已经与相关用户取得联系，目前正在就相关情况进行调查，如最终确定为平台责任平台会主动承担。此外，我们会在相关调查结束后第一时间公布结果，请各位耐心等待并停止不必要的猜测。感谢大家的支持。
— OKX中文 (@okxchinese) June 9, 2024

Attackers reportedly exploited this vulnerability, allowing them to create new API keys with permissions to withdraw and trade. Many users have experienced thefts as a result.

This incident at OKX is not isolated. Binance, another major exchange, has recently experienced a similar security breach.

Per reports, OKX is conducting a thorough investigation, reaching out to affected users, and promising full accountability if found at fault.

The exchange requested patience during the investigation process and recommended enabling two-factor authentication (2FA) to prevent further breaches. Despite these reassurances, the security shortcomings revealed are causing concern among users and industry observers.

Security Shortcomings Highlighted

Blockchain reporter Wu Blockchain conducted an analysis revealing ‘serious shortcomings’ in OKX's security settings. These include:

1. Bypassing Google Authenticator Verification

OKX allows switching to lower security verification methods, such as SMS, during sensitive operations like adding a whitelist address, withdrawals, and various verification changes. This bypasses Google Authenticator (GA) verification, undermining its security benefits.

2. Lack of Withdrawal Ban for Sensitive Operations

OKX does not trigger a 24-hour withdrawal ban for sensitive operations such as disabling phone verification, disabling GA verification, and changing the login password. Withdrawal bans only apply when logging in on a new device. This represents a compromise in risk control measures for password changes.

3. Whitelist Address Withdrawals Lack Dynamic Verification

Withdrawals to whitelisted addresses are not subject to dynamic verification based on withdrawal amounts. Withdrawals up to the limit can proceed without further verification after an address is added to the whitelist. Other exchanges set limits requiring re-verification for larger amounts, providing an additional layer of security.

According to Wu Blockchain, the current shortcomings have exposed users to significant risks.

Disclaimer

Disclaimer: The views expressed in this article do not necessarily represent the views of BSCN. The information provided in this article is for educational and entertainment purposes only and should not be construed as investment advice, or advice of any kind. BSCN assumes no responsibility for any investment decisions made based on the information provided in this article. If you believe that the article should be amended, please reach out to the BSCN team by emailing [email protected].