Blockfolio crypto-application plugs 2-year-old security breach

A ethical hacker recently reported a security breach on the famous app Blockfolio. Present for 2 years, the vulnerability is now fixed.

According to Paul Litvak, security researcher for New York society Enter, the fault would have stolen the application’s source code, or even injected its own code into their repositories.

Launched in 2014, Blockfolio is a tracking application cryptocurrency prices very popular with over a million downloads on Android.

While the app does not directly store user’s cryptocurrencies, Litvak explains that hackers are now exploiting all possibilities to steal them, including through third-party apps like this one.

After spending some time examining their app to no avail, I took a look at older versions of the app to see if I could find secret or hidden web endpoints for a long time. So I found this version of 2017 that accesses the Github API, ”he wrote.

The code connects to the Github repository of Blockfolio thanks to a set of constants including a file name and, above all, the key used by Github to authorize access to repositories.

It adds a token to the authorization header: the application queries the private Github repositories belonging to Blockfolio. It was used to download its FAQ directly from Github and display it to the user. I stopped digging more because I am not allowed to use the token, ”he added.

Following this discovery, the white hat contacted Blockfolio via social media. The company quickly blocked the token and responded that no access to its user data or infrastructure had taken place.

The co-founder and CEO of Blockfolio, Edward Moncada, confirmed on Coindesk that a GitHub access token had been left in error in a previous version of the Blockfolio application code base.

Litvak suggests that holders of digital coins use the minimum of third-party services and also turn to web services rather than mobile.