Dynex Blockchain Explorer XSS Vulnerability Disclosure

The Dynex Blockchain Explorer is a PHP application that allows examining the Dynexcoin blockchain. This backend will also be used by the upcoming Dynex clientside wallet. This means that any vulnerabilities in the explorer application can potentially be used to exploit the wallet application in the future, possibly granting unrestricted access to all the wallet functionality.

Some months ago our team discovered a vulnerability in the Dynex Blockchain Explorer source code. The vulnerability is a rudimentary Cross Site Scripting (XSS) issue that can be used from simple annoyances to potentially hijacking user sessions and gaining access to the server.

We have contacted the Dynex team multiple times about this, but they have not responded or fixed the issue. The lack of input variable validation and failure to follow many other common security practises is disturbing.

For the security of everyone we will not instruct on how to exploit the vulnerability, but instead encourage doing research by auditing the open source code: https://github.com/ares-austria/Dynex-Blockchain-Explorer

This is why we are making this public announcement, so the Dynex developers take it seriously as funds will be subject to this flaw going forward with the new wallet application that will open the pandora’s box for cyber criminals to exploit the vulnerability to gain access to Dynex wallets, potentially even exposing the common Mattes-Daniel attack vector.

As a response publicly request that the project have a full audit of their source code by a known third party and publish a full report on their findings. This is to protect the value of the multimillion dollar DNX blockchain value and the distributed computing platform attached to it. It is a requirement for the platform to be a viable option for the Fortune 500 companies targeted for the groundbreaking computing platform.

Aside from security issues, there is plenty of evidence that Dynex is a scam.