August 5, 2016 By Larry Loeb 2 min read

Venmo, PayPal’s free digital wallet service, has come up with major service changes that address vulnerabilities as a result of one security researcher’s experience.

Martin Vigo posted the story behind his involvement in the recent patches. It all started from him noticing that, when the wallet was used, the SMS feature kicked in even though it had not been explicitly authorized. The SMS gave him the option to reply with a six-digit code to make a payment to another person using Venmo. Whomever was being given this payment had to re-enter this code for the payment to progress.

iOS Quirks Could Lead to Problems

However, the iOS environment handles SMS messages in multiple ways. For example, Siri can send an SMS message even when a device is locked. This feature is on by default in iOS and became routinely used when the “Hey Siri” modification was added in iOS 9.

There is also a text message preview, which allows users to see in the lock screen who sent a text along with part of the content. This is also enabled by default. Vigo explained that these two features, along with the ability to reply to texts using Siri, allowed him to complete transactions without unlocking the device.

He also found that Venmo had operational problems in how it implemented SMS. Vigo discovered that one can activate the SMS notification service by sending an SMS to 86753 with the word “start.” The number 86753 is a short code owned by Venmo and used for all of its SMS notifications.

What this means was summarized by Softpedia: “Someone could pick up your iPhone, activate the SMS notification settings, ask for a payment from their Venmo account, tell Siri to read the SMS message that was just received, tell Siri to input the payment validation code inside a new SMS, send the SMS and voila — the attacker has just stolen your money.”

Self-Mitigation for Venmo Issues

Let’s say that the user was able to disable Siri in the lock screen as well as the SMS preview feature. All should be OK, right? Wrong.

Vigo thought of another way in: He tried to steal money remotely without access to the targeted user’s device. It involved brute-forcing the six-digit authorization code. But Venmo had already implemented a rate-limiting mechanism allowing users to try only up to five codes every five minutes, SecurityWeek noted.

Further research showed that each charge request had its own authorization code and generating a new request did not invalidate the previous code. An attacker would be able to send multiple requests directed to a single victim (or a single request to multiple victims) in an effort to increase the chances of finding the right authorization code.

Vigo contacted the company, and after some hemming and hawing it pulled the SMS feature from the product in its entirety.

This step by Venmo is in line with NIST’s recent report that depreciates two-factor authentication when done by SMS. The institute found too many conceptual vulnerabilities — not to mention the man-in-the-middle possibilities — to recommend the method.

More from

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today