Years-Old Cybersecurity Vulnerably Exposed in Blockfolio

Blockfolio, one of the most popular cryptocurrency portfolio tracking applications, could be a highly desirable target for hackers’ attacks.

As of April 22, there are approximately 5,400 cryptocurrencies being traded with a market value of $201 billion United States dollars. The 24-hour daily trading volume has recently been hovering around $100 billion, a key indicator of the sector’s ongoing growth and active investor participation.

It is a well-known fact that cryptocurrencies are among the most fickle assets available, making it virtually impossible to monitor their fluctuations on a continuous basis. Fortunately, we have seen a number of cryptocurrency portfolio trackers being developed and accepted into the market since 2017.

Cryptocurrency portfolios represent any set of investments held by traders across the different types of crypto assets. For instance, if an investor owns 10 tokens or coins, these collectively represent their investment portfolios. The portfolio reflects the style of the trader/investor, their risk tolerance and key elements of their market strategy.

Blockfolio’s rise to prominence

Ian Balina — the blockchain entrepreneur, investor, analyst and CEO of Tokenmetrics who has been very vocal about the economic impact of the COVID-19 pandemic on the cryptocurrency sector — made Blockfolio famous in 2017 when he posted his impressive Blockfolio screenshots on Instagram. Balina is a firm believer in the use of cryptocurrencies in a business context.

The Blockfolio application is among the longest-running tracking platforms and can be part of your personal accounting software tools, most of which today connect your bank accounts via an application programming interface, or API, synchronize your expenses and get you ready for tax time. It allows the user to enter an assortment of cryptocurrencies as well as the ability to add the price that they were originally bought for and/or sold at. The attractive user interface, coupled with its use by a number of leading influencers, made Blockfolio one of the most downloaded cryptocurrency apps in 2017.

Blockfolio has also in the past few months launched a feature called “Blockfolio Signal” — a feature it believes will serve as its main communication platform within the application. This feature offers additional notifications from the teams behind each of the assets that you hold in, or want to add to, your portfolio.

Another feature is its ability to set up multiple portfolios, which can be extremely useful with regard to the categorization of your investments and their individual tracking.

Blockfolio currently supports Binance, Bitfinex, Bittrex, Coinbase and Coinbase Pro, OKEx and Poloniex and has recently given its users the ability to import their existing crypto portfolios into TokenTax’s automated software in order to get ahead of the upcoming tax season. Blockfolio is also completely free to use, but Blockfolio’s founder said in a recent statement that it was planning to monetize the app in the near future around the Blockfolio Signal feature.

The Blockfolio platform has over 5 million active users that utilize it to manage their portfolios. There are more than 400 teams on Blockfolio Signal, which include team members and representatives from Monero (XMR), Dash, NEO, Ether (ETH), NEM, Zcash (ZEC) and the like. Blockfolio furthermore supports over 8,000 crypto assets and continuously collects data from upward of 300 exchanges in order to stay up to date with any price or market updates.

More on the Blockfolio vulnerability

A major security vulnerability was uncovered in Blockfolio’s source code recently. The vulnerability, which showed up in previous versions of the application, would have enabled a hacker to steal closed source code and possibly manipulate the data by introducing their own code in Blockfolio’s GitHub repository and eventually into the app itself.

After evaluating the security of the cryptocurrency platforms he used, Paul Litvak — a security researcher at cybersecurity firm Intezer — uncovered the weakness. Litvak has been interested in cryptocurrencies since 2017 when he developed trading bots, and Blockfolio had been his managing platform of choice until the recent discovery.

With more than 47 million blockchain wallet users out there at the moment, hackers have a vast pool of possible victims to target, which is the reason they are actively targeting cryptocurrency platforms. The code Litvak uncovered linked to the organization’s GitHub repository by using a series of constants including a filename and, most importantly, the GitHub key that allowed access to the repositories.

The app queried Blockfolio’s private GitHub repository, and that query led to an immediate download of Blockfolio’s FAQs directly from GitHub, a step that was probably put in place to save the company the effort of updating its applications every time it made a change.

However, the key Litvak discovered was troublesome, as it could access an entire GitHub repository and exploit it. He was interested to see if this hazard persisted, as the application was already several years old.

Blockfolio's vulnerable source code

According to GitHub, a “repo” provides direct access to both public and private repositories and involves, among other features, the ability to read and write code and commit statuses as well as organization projects.

To make matters worse, the uncovered vulnerability had been public for two years and still remained open. Litvak alerted Blockfolio about the vulnerability via social media, as Blockfolio does not make use of a bug bounty program to remove vulnerabilities.

Edward Moncada, Blockfolio’s co-founder and CEO, confirmed that the GitHub access token was erroneously left in the older versions of the codebase and that they revoked access to that specific key as soon as they were alerted to the vulnerability. Moncada stated that Blockfolio carried out an audit of its systems and that no changes had been made. Since the token provided access to code that was separate from the database where the user data was stored, no user data was at risk.

The token might have been able to allow someone to change the source code, but there are several internal procedures in place that are checked prior to releasing any changes or updates to the system, and as such, malicious code would not have been released to any of its users.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Sam Bocetta is a freelance journalist specializing in United States diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense and cryptography. Previously, Sam was a contractor for the U.S. Department of Defense, working in partnership with architects and developers to mitigate controls for vulnerabilities identified across applications.

Leave a Reply

Your email address will not be published. Required fields are marked *