Cybersecurity analysis: Vulnerability in OKX not related to "SMS verification"? OKX founder Xu Mingxing: No, if there are losses due to OKX, they will be fully compensated

After a series of recent security incidents involving OKX users sparked widespread concern, the online community conducted a thorough analysis of the causes of these events and received a detailed response from OKX founder, Xu Mingxing. This article will comprehensively report on this incident, from security vulnerabilities to the official response, to help users better understand and protect their assets.

Analysis: Vulnerabilities in OKX Security Settings

The Web3 security community @dilationeffect stated that after a quick analysis of OKX user security settings, they discovered some surprising security vulnerabilities. The analysis was conducted on June 10, 2024, at 5:00 PM.

1. Google Authenticator Verification Can Be Bypassed

Even though users have bound Google Authenticator (GA), they can switch to lower security level verification methods, such as SMS verification, during the verification process, making GA verification easily bypassed. This means that even if users have GA enabled, they can choose lower security SMS verification for sensitive operations.

2. Lack of Risk Control Measures for Sensitive Operations

When performing certain sensitive operations, such as turning off mobile verification, turning off GA verification, or changing login passwords, it does not trigger a 24-hour withdrawal ban risk control measure. These operations only trigger risk control when logging in on a new device, posing a significant risk.

3. Security Risks in Whitelisted Address Withdrawals

Withdrawals from whitelisted addresses are not dynamically verified based on withdrawal limits. Once an address is added to the whitelist, withdrawals within the limit can be made without further verification, unlike the practice of other exchanges that set limits and require re-verification.

These findings indicate that OKX's security settings lack baseline design. Although this may be to enhance user experience, compromises have been made in security. Users should carefully configure their accounts and bind GA to enhance security.

Response from Founder Xu Mingxing

In response to these security issues, OKX founder Xu Mingxing provided detailed responses:

1. Explanation of GA Switching to SMS

Xu Mingxing stated that there have been no cases of user asset loss through switching from GA to SMS, and he appreciates everyone's attention.

2. Design of Unverified Addresses

Unverified addresses are designed for API users' automated withdrawal needs, and setting limits does not meet actual requirements. In addition, the security verification for adding unverified addresses is consistent with the security level of withdrawal operations, and there are plans to introduce a mechanism for unverified addresses to expire automatically.

3. Comparison of GA and SMS Security

GA and SMS each have their pros and cons. Although GA's security level is slightly higher than SMS, it is not completely secure. Hackers can obtain GA by implanting malware on user devices or stealing Google accounts, while SMS can also be stolen through malware, SIM card cloning, fake base stations, or vulnerabilities in SMS service providers.

4. OKX's Confidence in Security

OKX has full confidence in the security of its products and will continue to fully compensate for any data losses caused by OKX itself.

User Security Reminders

Once again, exchange users are reminded to bind GA when setting up account security to avoid becoming targets of hacker attacks. Email and SMS verifications are relatively easy to attack, and only by strengthening security measures can one better protect their assets.

Hacker Takes Away 5 Million RMB in 15 Minutes: Security Vulnerabilities in OKX Exchange Cause User Panic