Security status in Cryptocurrency exchanges

[LeGaulois]

I made this graphic using some data from Sqreen. (Yeah, I know it's not a professional one I am usually able to do better but I never tried to use bar graphs or histograms  so I was just playing around)

140 cryptocurrency exchanges have been checked one by one for basic security issues. It doesn't mean these exchanges have vulnerabilities but they should improve some basic security controls

out of the 140 exchanges we analyzed less than 40% of them are using headers like the Strict-Transport-Security header or the X-XSS-Protection header. 20% expose server information which isn’t a security vulnerability in itself but that clearly shows the low level of security best practices implemented. And 26% of them use frontend libraries with known vulnerabilities. Only 2% implemented a Content-Security-Policy that, if done well, can offer powerful protection against clickjacking or XSS

[1715366348]

1715366348

[1715366348]

1715366348

[1715366348]

1715366348

[alyssa85]

That's an interesting graphic. Can you explain what some of the elements mean? What does "strict transport" do, and what are public key pins?

Also, can you list which exchanges have the most security? (perhaps do another graphic scoring the exchanges on each element)

[slackcryptoz]

That's an good effort to give a perfect information regarding the security factors of several cryptocurrency exchanges that were operating around the globe. Exchange authorities develop the best security features be be more secure, but the hacking and large volume stealing of assets still continues.

[Patatas]

You can just google the terms..

That's an interesting graphic. Can you explain what some of the elements mean? What does "strict transport" do, and what are public key pins?

Basically,they're headers.I'm sure you won't understand if you're coming from a non-technical/programming background.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

@OP these mentioned are just surface level security mechanisms.Pretty sure most of these websites are easily prone to other attacks like SQL Injection etc.What is your source of data for the graphs ?

[LeGaulois]

I used data from Sqreen.io as mentioned in the OP, and yes it's just surface level security mechanisms so imagine if you check at the heart of the system. For sure you will find some sites prone to other attacks.

What surprised me first was simply the number of cryptocurrency exchanges tested. I couldn't imagine there are at least 140 websites online.
Then was the fact the biggest exchanges are badly graded with a score 3.8 out of 10.

[JanpriX]

Really appreciate this type of thread which helps the community be aware of things that go unnoticed. And to think that this is a very serious and important information for all of us but the very first time that I read something regarding the topic pointed out in the OP.

Honestly speaking, I don't know most of the terms in those graphs but what I'm sure of is that those are very important security measures to be used by cryptoexchanges and to see that almost all of them have very low security features implemented are very disheartening. Huge amount of money overflows to those exchanges but they don't use it to improve and secure their platform. Well, I will not be surprised if the number of problematic exchanges will arise in the coming months due to security issues.