Blockfolio Quietly Patches Years-Old Security Hole That Exposed Source Code

The security vulnerability, which appeared in older versions of its application, could have allowed a bad actor to steal closed source code and possibly inject their own code into Blockfolio’s Github repository and, from there, into the app itself.

AccessTimeIconMay 1, 2020 at 8:55 p.m. UTC
Updated Aug 19, 2021 at 1:57 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A "white hat," or ethical, hacker found a gaping hole in Blockfolio, the popular mobile cryptocurrency portfolio tracking and management app. The security vulnerability, which appeared in older versions of the application, could have allowed a bad actor to steal closed source code and possibly inject their own code into Blockfolio’s GitHub repository and, from there, into the app itself.

A security researcher at cybersecurity firm Intezer, Paul Litvak, made the discovery last week when he decided to review the security of the cryptocurrency-related tools he was using. Litvak has been involved in cryptocurrencies since 2017 when he used to build bots for trading, and Blockfolio is an Android app he used for managing his portfolio.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • “After some time reviewing their [new] app to no avail, I took a look at older versions of the app to see if I could find any long-forgotten secret or hidden web endpoints,” said Litvak. “Soon I found this version from 2017 accessing GitHub’s API.”

    unnamed-2-18

    This code connects to the company’s Github repository using a set of constants that included a filename and, most importantly, the key Github uses to allow access to repositories. It appears below as the variable “d.”

    unnamed-55

    The app queried Blockfolio’s private GitHub repositories, and that function quite simply downloaded Blockfolio’s frequently asked questions directly from GitHub, saving the company from the effort of having to update it inside its apps. 

    But the key is dangerous in that it could access and control an entire GitHub repository. Since the app was three years old, Litvak was curious as to whether it was still a threat.

    “This is severe, but I thought maybe it’s just some old token not in use anymore, from back when they launched,” said Litvak. 

    The key, he discovered, was still active.

    1er1u5fx_stbvlzkqotioow

    “And I found that, nope, the token’s still active and has a “repo” OAuth Scope,” he said. An “OAuth Scope” is used to limit an application's access to a user's account.

    A “repo,” according to GitHub, grants full access to private and public repositories, and includes read/write access to code, commit statuses and organization projects, among other functions. 

    “It was using private credentials to access its private code repository,” said Litvak. “Anyone who was curious enough to reverse-engineer the old Blockfolio app could've reproduced it and downloaded all of Blockfolio's code and even pushed their own malicious code into their code base. You're not supposed to have private credentials in apps that anyone can download.”

    The vulnerability had been public for two years and the hole was still open. Litvak alerted Blockfolio to the issue via social media, given Blockfolio does not have a bug bounty program to root out vulnerabilities. 

    Blockfolio Co-Founder & CEO Edward Moncada confirmed in an email to CoinDesk that a GitHub access token was mistakenly left in a previous version of the Blockfolio app codebase, and when alerted to the vulnerability, Blockfolio revoked access to the key. 

    Over the next several days Moncada said Blockfolio did an audit of its systems and confirmed that no changes were made. Given the token provided access to code that was separate from the database where user data is stored, user data was not at risk. 

    The token would allow someone to change source code, but through its internal processes for releasing changes to the system Moncada said there was never a risk malicious code would have been released to users. 

    “I'd say worst-case scenario, an attacker would update the app's code and collect data about the users. They also have the feature where you put exchange API keys in the app so that could be stolen as well," said Litvak. "But they [Blockfolio] claim that's impossible because of their 'security reviews.' I'd say it's best nobody got to test those security reviews."

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.