BLOCKFOLIO Crypto Portfolio App Is Snooping On Users

The popular cryptocurrency portfolio app, Blockfolio, downloaded over 100,000 times, with a Telegram chat group of more than 1,100 traders, has the ability to snoop on users’ positions.

It is recommended that all users discontinue usage immediately. Both Android and iOS versions are intentionally phoning home to Blockfolio and reporting all user positions, unique to each device.

Details:

Using burpsuite, configuring the burpsuite proxy on a phone enables interception of all data. This leak is detectable in both Android and iOS.

Below are screenshots and links showing the evidence:

http://api-v0.blockfolio.com/rest/get_positions_v2/your-device-id-here/BTC-XRP?fiat_currency=USD

http://api-v0.blockfolio.com/rest/get_positions_v2/your-device-id-here/USD-BTC?fiat_currency=USD (for Bitcoin)

GET /rest/sync_holding_positions/INSERTCOINHERE/BTC?token=device-token&id=80&price=0.0&quantity=0.0&exchange=bittrex&date=1496161214327

Example:
http://api-v0.blockfolio.com/rest/sync_holding_positions/XMR/BTC?token=your-device-id-here&id=80&price=0.0&quantity=0.0&exchange=bittrex&date=146676131432