Venmo’s flaw could have allowed anyone to use Siri on a locked iPhone to empty your account [Video]
Martin Vigo, a product security engineer for SalesForce recently discovered that by just using Siri, anyone could empty a Venmo account on a locked iPhone in less than two minutes, stealing as much as the weekly limit of $2999.99.
Venmo is a PayPal-owned money payment service app that allows users to transfer money between one another using a mobile phone or web interface. The users can link their bank accounts, debit cards, or credit cards to their Venmo account and use it to pay bills, friends with just a few taps. Besides sending money, you can also request people to pay you.
One of the app’s features is that it allows one user to “charge” other users for something, which results in an SMS notification being sent to the person who was charged. When that happens, the recipient can reply to the SMS with a six-digit code that was sent in the original message, which completes the payment.
Vigo contacted and notified the payment service, who patched the design flaws in the Venmo app and iOS that allowed stealing money from other people’s Venmo accounts. They responded within 18 days of being notified by killing the SMS “reply-to-pay” functionality in order to prevent such attacks.
How did this vulnerability occur?
The vulnerabilities have to do with the way iOS allows you to perform a limited range of actions, like sending text messages and initiating phone calls, without actually having to unlock the phone with a PIN number or fingerprint. In combination with Siri commands and other methods, the flaws allow an attacker to compel a victim to make a payment through the Venmo app.
So, how does it work?
The SMS notification is not enabled by default in Venmo. To enable the Venmo SMS service, an attacker needs to tell Siri to send a text message to 86753 saying “START”. 86753 is a short code number owned by Venmo and used for all the SMS notifications. Then, the attacker has to put a request for payment to the compromised device. The maximum amount that can be requested is $299.99, with a weekly limit of $2,999.99.
The victim will be then asked by Venmo to confirm the request. It will do that by sending an SMS with a one-time payment validation code. In order for the payment to go through, the recipient has to text this back to Venmo. However, the attacker can do that by telling Siri to read the last SMS message received, making a note of the number, and then tell Siri to send a text back to the Venmo shortcode with it. And, voila it’s done. Oops, you have just been looted!!!
Below is a demo video of Vigo’s attack.