14 DAY TRIAL // Venmo has patched an attack vector described by security researcher Martin Vigo, who was able to combine design flaws in the Venmo app and iOS in order to steal money from other people's accounts.
Venmo is a mobile app that allows people to transfer money among each other, and like many such apps, it allows a user to charge another.
Vigo discovered that if he had physical access to a friend's iPhone and if certain conditions were met, he could abuse design flaws in Venmo and iOS to approve money requests, which could go up to $2,999.99 per week, per scammed user.
Design flaws in Venmo and iOS
At the heart of the issue, as Vigo also explains in the video below and on his personal blog, is the fact that, in default configurations, Siri is enabled on iOS devices, even if the device is locked.
An attacker could request a money payment from the owner of an iOS phone, which would be received by the victim's handset. Normally, the Venmo app would show a notification, but Vigo discovered that he could tell Siri to send a message to a Venmo five-digit phone number that would handle the payment request instead of showing app notifications to the user.
So basically, someone could pick up your iPhone, activate the SMS notification settings, ask for a payment from their Venmo account, tell Siri to read the SMS message that was just received, tell Siri to input the payment validation code inside a new SMS, send the SMS, and voila, the attacker has just stolen your money.
All of this because Apple insists on shipping devices with Siri turned on by default even when the phone is locked.
Venmo addressed all issues
Vigo contacted Venmo and notified the company about their problem, and they responded by killing the SMS "reply-to-pay" functionality, along with other smaller fixes that opened the doors to similar attacks.
"There was no good way to fix it. I am glad Venmo decided to kill a feature [vs.] keeping it knowing it has flaws," Vigo noted.
Below is a video of Vigo's attack. Previously to discovering this flaw, Vigo and a friend found flaws in the LastPass password manager in November 2015.
