OKX Reportedly Has ‘Serious Shortcomings’ in Security Settings

Blockchain reporter Wublockchain revealed serious security flaws in OKX's system, including the ability to bypass Google Authenticator verification.
BSCN
June 10, 2024
Wu Blockchain, an independent blockchain journalist, reported shortcomings in security settings in the crypto exchange, OKX.
OKX recently suffered a significant security breach involving its SMS notification system.
关于今日网络反馈的“交易所用户资产被盗”情况我们十分重视,已经与相关用户取得联系,目前正在就相关情况进行调查,如最终确定为平台责任平台会主动承担。此外,我们会在相关调查结束后第一时间公布结果,请各位耐心等待并停止不必要的猜测。感谢大家的支持。
— OKX中文 (@okxchinese) June 9, 2024
Attackers reportedly exploited this vulnerability, allowing them to create new API keys with permissions to withdraw and trade. Many users have experienced thefts as a result.
This incident at OKX is not isolated. Binance, another major exchange, has recently experienced a similar security breach.
Per reports, OKX is conducting a thorough investigation, reaching out to affected users, and promising full accountability if found at fault.
The exchange requested patience during the investigation process and recommended enabling two-factor authentication (2FA) to prevent further breaches. Despite these reassurances, the security shortcomings revealed are causing concern among users and industry observers.
Security Shortcomings Highlighted
Blockchain reporter Wu Blockchain conducted an analysis revealing ‘serious shortcomings’ in OKX's security settings. These include:
1. Bypassing Google Authenticator Verification
OKX allows switching to lower security verification methods, such as SMS, during sensitive operations like adding a whitelist address, withdrawals, and various verification changes. This bypasses Google Authenticator (GA) verification, undermining its security benefits.
2. Lack of Withdrawal Ban for Sensitive Operations
OKX does not trigger a 24-hour withdrawal ban for sensitive operations such as disabling phone verification, disabling GA verification, and changing the login password. Withdrawal bans only apply when logging in on a new device. This represents a compromise in risk control measures for password changes.
3. Whitelist Address Withdrawals Lack Dynamic Verification
Withdrawals to whitelisted addresses are not subject to dynamic verification based on withdrawal amounts. Withdrawals up to the limit can proceed without further verification after an address is added to the whitelist. Other exchanges set limits requiring re-verification for larger amounts, providing an additional layer of security.
According to Wu Blockchain, the current shortcomings have exposed users to significant risks.
Disclaimer
Disclaimer: The views expressed in this article do not necessarily represent the views of BSCN. The information provided in this article is for educational and entertainment purposes only and should not be construed as investment advice, or advice of any kind. BSCN assumes no responsibility for any investment decisions made based on the information provided in this article. If you believe that the article should be amended, please reach out to the BSCN team by emailing [email protected].
Latest News
Crypto Project & Token Reviews
Project & Token Reviews
Comprehensive reviews of crypto's most interesting projects and assets
Learn about the hottest projects & tokens
Latest Crypto News
Get up to date with the latest crypto news stories and events