Brazilian cryptocurrency exchange Foxbit has recently revealed that, via the BlinkTrade trading platform, it updated its login process, making it safer for users. The update may be too late, however, as recent reports suggest the company’s poor security allowed hackers to phish users out of an estimated 58 BTC (about $540,000).
The 58 BTC estimate comes from cybersecurity expert Leandro Trindade, who warned Foxbit something was wrong with its security practices on March 29. The cybersecurity expert realized something was up when he noticed local complaint portal Reclame Aqui was being flooded with Foxbit-related content.
Upon digging deeper, he found most users were complaining the funds they had on the platform went missing. Trindade’s investigation found that, on Foxbit, users could change their two-factor authentication (2FA) settings using only one password.
This allowed hackers to phish users, and change their 2FA settings to lock them out of their own accounts. Since there was no email confirmation, no security question, or any other security layer, all they then needed to do was proceed to withdraw the user’s funds.
Speaking to local publication Portal do Bitcoin, Trindade stated (roughly translated):
“I could be rich right now. But my code of ethics won’t let me.”
He added that he tried to warn the exchange their users were at risk. He sent the company two emails, left a support ticket, and messaged it on Facebook. It took BlinkTrade about two weeks to get back to him. In its response, it reviled it would take seven days to fix the issues.
Per Portal do Bitcoin, it took the company 25 days to get rid of the vulnerability. Both Foxbit and BlinkTrade later on revealed they were aware of the issue before Trindade reached out, and added that a “new login and withdrawal procedure was being planned since early February.
Foxbit’s statement reads (roughly translated):
“The company was informed of the first occurrences in December and has since worked with BlinkTrade to strengthen security and guide users, as shown in our blog post in this regard.”
Evando Conceição Oliveira, a Foxbit user, claims to have lost $10,300 on the platform on January 22. He was initially contacted by Foxit’s legal department, which attempted to offer him 50% of what he lost. Oliveira tried to negotiate for a little more, and ended up receiving $5,700 from the exchange.
According to Foxbit, several other cases are being taken care of, with some being taken to court. In court. A similar case in Brazil, related to online banking, ruled in favor of the user, potentially setting a precedent.
This isn’t the first time Foxbit’s platform makes headlines. As reported by CCN, a bug in the cryptocurrency exchange’s platform allowed users to withdraw their funds twice, leading to a $270,000 loss. The issue saw Foxbit go down for 14 days, although it processed withdrawals during its extended downtime.
As covered, competition may be about to toughen up in the country, as Brazil’s largest investment firm, XP Investimentos, is reportedly going to launch a cryptocurrency exchange.
BlinkTrade has revealed that it “has no responsibility in the occurrences, since in phishing cases, it is the users who deliver (directly or indirectly) their personal information to third parties.” The company’s chief executive officer, Rodrigo Souza, has since published a video contesting Trindade’s criticism.
Featured image from Shutterstock.