Sorry c-cex, but you don't seems to care about bug reports tickets.Normally, even when you go on coinexchange.io, it's hard to find something vulnerable.
But with c-cex, it's hard to find something protected on client side. For starting, everything is vulnerable to CSRF even with 2FA enabled:
Wanna change the user's chatname of someonelse? It's possible to do it by making cliking a link which trigger a POST to
http://c-cex.com/?id=profile&rett=chat_b.
Wanna write a chat message with an account you don't own? It's possible to do it by making cliking a link which simply works through a GET request.
You hacked the e-mail account linked to a c-cex account? Just make the target user click a link and you'll receive the confirmation link. You also don't need to login to confirm the withdrawal (an other vulnerability combined).
In that case, the only thing protected against CSRF I found is posting limit orders. And even then it's still performed through GET requests.
I also found making someone losing all funds through clicking
https://c-cex.com/?id=funds&dump=btc requires an origin matching c-cex.com. Though that’s still possible to hide and trigger the target through a redirect.
There is also their internal captcha system
https://c-cex.com/cp.html?s=385353503 which is easy to solve fully automatically through things like IBM Watson or Google Cloud vision with high sucess rates.
There are many ways to bypass users completely and steal funds directly from servers like with the recent attack (though I failed to see the vulnerabilty recently used by the attacker).
The exchange is definitely less secure than Mt.Gox. There are even known bugs used in the past elsewhere that aren't fixed on the exchange (1 task when you are in charge of security is to read the news about recent discovered attacking methods). Maybe they also run outdated third party libraries else too, but that's something to invastigate.
The only thing postive over Mt.Gox is funds are correctly managed manually outside the lack of fund audits: they can't "find" a forgotten wallet like it happened with Mt.Gox since no wallet are susceptible to be forgotten.
In some way, the bugs users are noticing with unexecuted withdrawals or disappearing deposits as well as disabled account is only the top of the iceberg.