clock menu more-arrow no yes

Filed under:

CoinDesk fixes a CMS leak that may have been used for crypto insider trading

New, 1 comment

Bad actors could also create fake drafts or edit articles

Illustration by Alex Castro / The Verge

CoinDesk has fixed an exploit that allowed anyone to view unpublished headlines, create drafts, and edit articles on the website. In a post on its site, CoinDesk says the vulnerability could’ve let “unidentified actors” view non-public information, allowing them to make trading decisions they could profit from.

“The exploit, which was brought to CoinDesk’s attention by a white-hat hacker, may have allowed unidentified actors to profit from nonpublic information by making trades ahead of the publication of at least one article,” Kevin Worth, CoinDesk’s CEO writes in the post. “The issue is now fixed and added safeguards have been put in place.”

While CoinDesk says the security hole just exposed unpublished headlines, the Twitter user who initially brought the exploit to CoinDesk’s attention illustrates how the issue goes much deeper than that. Bad actors found a way to manipulate the application programming interface (API) that CoinDesk uses to publish content. Whenever the API received a bad request, it would return an error stack (or a long error message), which essentially contained the means for someone to access CoinDesk’s backend publishing system. As a result, users had the ability to make changes to existing articles, add fake drafts, and, of course, get an early look at the information that could give them a trading advantage.

This type of insider trading isn’t unheard of — in the past, hackers have tapped into newswire sites like BusinessWire, gaining early access to press releases and other information that has the power to tip the stock market.

Law enforcement’s response to insider trading in the world of crypto has been mixed. Last year, the US Commodity Futures Trading Commission opened an investigation into cryptocurrency exchange Binance over possible insider trading and market manipulation. Around the same time, Nate Chastain, the former product chief at NFT marketplace OpenSea, was also accused of using inside information to buy and sell NFTs, but no legal action has been taken. As regulators in the US work to clarify the laws surrounding cryptocurrency, insider trading may become less of a gray area.

Correction February 8th, 2022 12:20PM ET: An earlier version of the story referred to Kevin Worth as CoinDesk’s chief content officer when he is actually the CEO. We regret the error.