A white hat or ethical hacker has found a hole in Blockfolio, the popular mobile cryptocurrency portfolio management and monitoring app. The security breach that appeared in previous versions of the application could have allowed a criminal to steal the closed source code and possibly inject his own code into the Blockfolio GitHub repository and, from there, into the app itself.
A discovery that happened by chance
A researcher at the computer security firm Intezer, Paul Litvak, made the discovery last week when he decided to review the security of the cryptocurrency-related tools he was using.
Litvak has been involved in the cryptocurrency industry since 2017 when he got involved in building a trading robot, and Blockfolio is an Android app that he used to manage his wallet along the lines of Bitcoin system.
"After unnecessarily reviewing their [new] app, I took a look at previous versions of the app to see if I could find long-forgotten secret or hidden web endpoints," said Litvak.
"I immediately found this version from 2017 by accessing the GitHub API." This code connects to the company's Github repository using a series of constants that includes a file name and, above all, the key used by Github to allow access to the repository.
The app requested Blockfolio's private GitHub repositories and that function simply downloaded Blockfolio's frequently asked questions directly from GitHub, avoiding the company the effort of having to update it within its apps.
But leaving the key exposed is dangerous as anyone could access and control an entire GitHub repository. Since the app is three years old, Litvak has investigated to find out if the problem was still present.
Is the security flaw still active?
"I found that the token is still active and has an OAuth Scope" repo, "said Litvak. An "OAuth Scope" is used to limit an application's access to a user's account.
A "repository", according to GitHub, ensures full access to private and public repositories and includes read / write access to code, commit states and organization projects, among other functions.
"Anyone curious enough to decode the old Blockfolio app could have reproduced it and downloaded all the Blockfolio code and even put their malicious code in their own code base."
This vulnerability had been public for two years and the hole was still open. Litvak has warned Blockfolio of the problem via social media, since Blockfolio does not have a bug bounty program to eradicate vulnerabilities.
Blockfolio co-founder and CEO Edward Moncada confirmed the story to the media and announced that Blockfolio had revoked access to the key. In the following days Moncada stated that Blockfolio carried out an audit of its systems and found that no changes had been made.
The token would have allowed someone to modify the source code, but Moncada said there would never be a risk of releasing malicious code to users.