A researcher at the computer security firm Intezer, Paul Litvak, made the discovery last week when he decided to review the security of the cryptocurrency-related tools he was using.
Litvak has been involved in the cryptocurrency industry since 2017 when he got involved in building a trading robot, and Blockfolio is an Android app that he used to manage his wallet along the lines of Bitcoin system.
"After unnecessarily reviewing their [new] app, I took a look at previous versions of the app to see if I could find long-forgotten secret or hidden web endpoints," said Litvak.
"I immediately found this version from 2017 by accessing the GitHub API." This code connects to the company's Github repository using a series of constants that includes a file name and, above all, the key used by Github to allow access to the repository.
The app requested Blockfolio's private GitHub repositories and that function simply downloaded Blockfolio's frequently asked questions directly from GitHub, avoiding the company the effort of having to update it within its apps.
But leaving the key exposed is dangerous as anyone could access and control an entire GitHub repository. Since the app is three years old, Litvak has investigated to find out if the problem was still present.
"I found that the token is still active and has an OAuth Scope" repo, "said Litvak. An "OAuth Scope" is used to limit an application's access to a user's account.
A "repository", according to GitHub, ensures full access to private and public repositories and includes read / write access to code, commit states and organization projects, among other functions.
"Anyone curious enough to decode the old Blockfolio app could have reproduced it and downloaded all the Blockfolio code and even put their malicious code in their own code base."
This vulnerability had been public for two years and the hole was still open. Litvak has warned Blockfolio of the problem via social media, since Blockfolio does not have a bug bounty program to eradicate vulnerabilities.
Blockfolio co-founder and CEO Edward Moncada confirmed the story to the media and announced that Blockfolio had revoked access to the key. In the following days Moncada stated that Blockfolio carried out an audit of its systems and found that no changes had been made.
The token would have allowed someone to modify the source code, but Moncada said there would never be a risk of releasing malicious code to users.
Cryptocurrencies have revolutionized the world of economics and investment, offering a decentralized alternative to traditional…
Milkomedia-C1 announced the integration of the DJed stablecoin network on its platform. Milkomeda C1, a…
Cryptocurrencies have gained immense popularity over the last decade, attracting investors from all over the world. However,…
The former cryptocurrency exchange FTX was based in the Bahamas. The island nation has not been…
As Shiba Inu adoption skyrockets, the memecoin and the entire Shiba ecosystem…
The adoption of digital currencies such as Bitcoin has continued to grow unabated. Many…