venmo-hack

A vulnerability in the iOS money-transfer app Venmo allowed anyone who managed to get access to a locked iPhone for as little as two minutes to empty the account, stealing as much as the weekly limit of $2999.99.

TNW reports that the flaw was discovered by a SalesForce security engineer Martin Vigo, who notified Venmo and waited until the loophole had been closed before demonstrating the method …

I remembered that you can use Siri to send SMS when your device is locked. It is worth noting that this feature is on by default and became especially popular when the “Hey Siri” feature was added in iOS 9.

Now that we know we can send SMS on locked devices, we need the code present in the SMS in order to reply and make the payment. Apple introduced the “Text Message Preview” which allows you too see in the lock screen who sent you a text and part of the content. This is also on by default.

If we combine these two, I am able to see the SMS with the code and can reply using Siri. All this without unlocking the device. All this out of the box.

All someone would need to do was send a text message to enable Venmo’s SMS service from someone’s iPhone, send a request for money from their own phone and then text back the approval code from the victim’s phone. Both initiation and approval texts could be sent from a locked iPhone.

Venmo was forced to remove the reply-to-pay functionality in order to prevent such attacks.

Paypal-owned Venmo was originally launched as a person-to-person payment service, but added an in-app payment option earlier this year, offering similar functionality to Apple Pay when making purchases from within an app.

You can watch a video demo below.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear