Blockfolio’s Long-Forgotten Github Token Leak

3 min readMay 1, 2020

For more than 2 years, Blockfolio was vulnerable to any attacker stealing their source code and perhaps even injecting his own code into their repositories.
This is a quick write-up about how I was able to find a Github token to Blockfolio.

Blockfolio is the most popular Cryptocurrency price tracking app, with more than 1 million downloads on Android alone. They offer an interface to watch Cryptocurrency prices, set alerts for price movements and even monitor your portfolio (through inputting read-only exchange API keys).

I’ve been into Crypto coins for a little while now, and its common knowledge that using third party services can expose you to risks. Attackers want your coins and will abuse any attack surface available.

Very well, I secure my coins in an offline wallet, but my storage isn’t the only attack vector possible to target me.

I decided to review Cryptocurrency-related tools I use to test the security of these tools which can be used to target me. Blockfolio is the only Android app I am using for Crypto coins so it seemed like a good first target.

After some time reviewing their app to no avail, I took a look at older versions of the app to see if I can find any long-forgotten secret or hidden web endpoints. Soon I found this version from 2017 accessing Github’s api.

It’s also appending a token to the authorization header:

The app is querying private Github repositories belonging to Blockfolio.
This was used to download its frequently asked questions (FAQ) directly from Github and displaying it to the user. A dynamic FAQ.

This is severe, but maybe it’s just some old token not in use anymore, from back when they launched. Lets verify:

Nope, token’s still active, and has a “repo” OAuth Scope. explains this scope:

I stopped digging further since I do not have permission to use the token and reached out to Blockfolio through DMs in social media (they do not have a bug bounty). The company blocked the token within 24 hours and replied that no access to its user data or infrastructure was made.

My suggestion to cryptocurrency users is to reduce cryptocurrency related third parties as much as possible. Do not install such applications that can execute code on your phone, use web services instead.

Stay safe everyone, both physically and virtually!