May 4, 2020 – Popular crypto tracking app Blockfolio patched a security vulnerability that, if left alone, could have potentially put their users at risk.
The vulnerability was discovered by Paul Litvak, a security researcher at cybersecurity company Intezer. Mr. Litvak reviewed the code of the Blockfolio mobile Android app, which he uses to manage his cryptocurrency portfolio. After he reviewed the new app, he looked at the older versions to find some “secret or hidden endpoints which might have been long forgotten.
He found out that the 2017 version of the app has code that connects to Blockfolio’s Github repository but also includes the key that Github uses to access repositories. When the app queried Blockfolio’s private repositories, it downloaded Blockfolio’s FAQs, but the key could be used to access and control an entire Github repository. Since this is the 2017 app, Mr. Litvak, tried checking if that key was still active. It was.
Mr. Litvak said anyone could have reverse-engineered the older Blockfolio app to download all of Blockfolio’s code, and then push their own malicious code into the code base. After being alerted of the vulnerability, Edward Moncada, Blockfolio’s Co-founder and CEO confirmed this with Coindesk and revoked access to the key. Mr. Moncada also said they audited their code and found out no changes were made during the time when the key was still out there in the older apps.
Blockfolio is a popular mobile app for users who want to manage their cryptocurrency holdings. Data from Google Play suggests it has been downloaded more than 1 million times.
This article is published on BitPinas: Crypto Tracker App Blockfolio Fixes Security Hole Quietly
BitPinas is an independent blockchain, finance, and cryptocurrency news site covering the crypto and blockchain news and developments in the Philippines. We aim to be the website where you can find all information on blockchain and crypto in the Philippines. We are read by investors and enthusiasts alike, including crypto/blockchain company founders and government personnel. Contact firstname.lastname@example.org for more information, consulting advice, and partnerships. Follow us on Facebook and Twitter.
Contact and Subscribe to BitPinas:
- Subscribe to our newsletter delivered every Monday, Friday, or when there’s breaking news you need to read on your email.
- Join BitPinas on Telegram
- Follow on Facebook and Twitter for the latest news and updates
- Disclaimer: All articles on BitPinas must be treated as not an investment advice. Readers are encouraged to do their own research. This website is not responsible for any loss incurred by the reader, nor will it take credit for their gains.
- For news tips, partnership discussions, or press release submissions, please send to email@example.com