A vulnerability in the iOS money-transfer app Venmo allowed anyone who managed to get access to a locked iPhone for as little as two minutes to empty the account, stealing as much as the weekly limit of $2999.99.
I remembered that you can use Siri to send SMS when your device is locked. It is worth noting that this feature is on by default and became especially popular when the “Hey Siri” feature was added in iOS 9.
Now that we know we can send SMS on locked devices, we need the code present in the SMS in order to reply and make the payment. Apple introduced the “Text Message Preview” which allows you too see in the lock screen who sent you a text and part of the content. This is also on by default.
If we combine these two, I am able to see the SMS with the code and can reply using Siri. All this without unlocking the device. All this out of the box.
All someone would need to do was send a text message to enable Venmo’s SMS service from someone’s iPhone, send a request for money from their own phone and then text back the approval code from the victim’s phone. Both initiation and approval texts could be sent from a locked iPhone.
Venmo was forced to remove the reply-to-pay functionality in order to prevent such attacks.
Paypal-owned Venmo was originally launched as a person-to-person payment service, but added an in-app payment option earlier this year, offering similar functionality to Apple Pay when making purchases from within an app.
You can watch a video demo below.