May 4, 2020 – Popular crypto tracking app Blockfolio patched a security vulnerability that, if left alone, could have potentially put their users at risk.
The vulnerability was discovered by Paul Litvak, a security researcher at cybersecurity company Intezer. Mr. Litvak reviewed the code of the Blockfolio mobile Android app, which he uses to manage his cryptocurrency portfolio. After he reviewed the new app, he looked at the older versions to find some “secret or hidden endpoints which might have been long forgotten.
He found out that the 2017 version of the app has code that connects to Blockfolio’s Github repository but also includes the key that Github uses to access repositories. When the app queried Blockfolio’s private repositories, it downloaded Blockfolio’s FAQs, but the key could be used to access and control an entire Github repository. Since this is the 2017 app, Mr. Litvak, tried checking if that key was still active. It was.
Mr. Litvak said anyone could have reverse-engineered the older Blockfolio app to download all of Blockfolio’s code, and then push their own malicious code into the code base. After being alerted of the vulnerability, Edward Moncada, Blockfolio’s Co-founder and CEO confirmed this with Coindesk and revoked access to the key. Mr. Moncada also said they audited their code and found out no changes were made during the time when the key was still out there in the older apps.
Blockfolio is a popular mobile app for users who want to manage their cryptocurrency holdings. Data from Google Play suggests it has been downloaded more than 1 million times.
This article is published on BitPinas: Crypto Tracker App Blockfolio Fixes Security Hole Quietly