These are indeed serious bypass that you had mentioned but it doesnt really matter at all yet this exchange do already fallen to scam anyone.Im reading once in a while
Outside this, there are also weak practices like using MD5 based session cookies and don't change it across requests.
into this thread.I havent seen any response of OP on whats happening and also reading up continuous complaints about account disabled and lost funds.
What's happenning? Do you remember how they were hacked in February 2014? Please notice how the last 9 september and the Februrary 2014 are similar (both repeated the same withdrawal several time).
Well it might not be the same guys as in 2014, but I think the hackers just found a variant of the same vulnerability in order to bypass the February 2014 protection which was put after the first attack.
Without C-cex explaining how it exactly happenned. We'll won't know.
Remembering C-cex glory days but they do end up like this after on that 3 months vacation alibi.
What glory days? Trust me, you can be sure even by 2014 security standards, that you wouldn't see GET requests on Facebook or Paypal.
You can be sure those weakness exists since the beggining and aren't the result of a code update.