Sharing API of exchange with Blockfolio? Risky or not?

[Little Mouse]

To have automated tracking of buy sell for monitoring my portfolio, I want to share API Key and secret Key. I can manually do everything but it’s lots of work. Is it risky to share API key and the secret key Blockfolio asking? I don't know, can someone share please?
For the last few days, I made some mistakes in manually adding the buy/sell in the portfolio. That's why I'm looking for automated ways.

[1715357209]

1715357209

[1715357209]

1715357209

[1715357209]

1715357209

[1715357209]

1715357209

[PrimeNumber7]

Most exchanges should allow for different permissions for different API keys. This means you should be able to set the API key you provide to Blockfolio to only be able to view your trades and positions, and not be able to place any trades, nor be able to withdraw any coin.

If you share an API key that has permissions to place trades, there will be the risk that either Blockfolio will place trades on your behalf, or that they will get hacked and the hacker will places trades for you.

[TryNinja]

Read only would be ok (at most, bad for your privacy), but I wouldn't give them any API key with permissions to trade or withdrawal coins.

A “white hat,” or ethical, hacker found a gaping hole in Blockfolio, the popular mobile cryptocurrency portfolio tracking and management app. The security vulnerability, which appeared in older versions of the application, could have allowed a bad actor to steal closed source code and possibly inject their own code into Blockfolio’s GitHub repository and, from there, into the app itself.

“And I found that, nope, the token’s still active and has a “repo” OAuth Scope,” he said. An “OAuth Scope” is used to limit an application’s access to a user’s account.

[...]

A “repo,” according to GitHub, grants full access to private and public repositories, and includes read/write access to code, commit statuses and organization projects, among other functions.

[...]

“I’d say worst-case scenario, an attacker would update the app’s code and collect data about the users. They also have the feature where you put exchange API keys in the app so that could be stolen as well,” said Litvak. “But they [Blockfolio] claim that’s impossible because of their ‘security reviews.’ I’d say it’s best nobody got to test those security reviews.”

Blockfolio Quietly Patches Years-Old Security Hole That Exposed Source Code

Their answer: https://help.blockfolio.com/hc/en-us/articles/360022122293-API-Keys-To-Trust-or-Not-to-Trust-That-is-the-Question

Just imagine... you open your Binance account and see you went all-in on a random shitcoin before it dumped. Was it worth it?

[AdolfinWolf]

Blockfolio Quietly Patches Years-Old Security Hole That Exposed Source Code

Just imagine... you open your Binance account and see you went all-in on a random shitcoin before it dumped. Was it worth it?

I assume there wouldn't be much of a problem if the api is only used client-side, eg the api key never actually leaves your device, but from the above article I'm sorta making up that that is not the case?

If they do not keep the api key client-side only or if you have to ask/wonder (if it's not opensourced), Like I currently do, it's probably a bad idea.

There's 0 accountability on their part if something goes wrong, and you'll never be able to prove it was them who stole your coins either.

Actually a pretty smart business model if you have little to no morals. Bit offtopic: I don't see how blockfolio makes money? Ads?

Given what you now know about APIs, you’ll hopefully feel more empowered to make an informed decision about whether to offer your Exchange API Keys to Blockfolio in return for wallet exchange integration in Blockfolio 2.2.  With that said, Blockfolio is firmly committed to the protection, security, and privacy of all its user data.  As a principle, we believe if you already trust your favorite crypto Exchange and your favorite portfolio tracking app (Blockfolio, of course!) with your data and information, then offering your Exchange API keys for real-time exchange integration is an extremely low risk / high reward proposition.  For a discussion of further exchange integration benefits, head over here.

Seriously, what the hell? Why can't they just clearly say whether or not the api key is stored client-side only.

[Little Mouse]

Thanks for all the input. I would give read only API so that blockfolio can track my records as in the last few days I have made so many trades that I made mistake of not logging some txs which made me puzzle and had to go through all the trades to have correct balance.

Actually a pretty smart business model if you have little to no morals. Bit offtopic: I don't see how blockfolio makes money? Ads?

There is one ads in the header. Till yesterday, that was the only option to make money for them. But from yesterday, they have started exchange service also although I have not tried that till now.