August 5, 2016 By Larry Loeb 2 min read

Venmo, PayPal’s free digital wallet service, has come up with major service changes that address vulnerabilities as a result of one security researcher’s experience.

Martin Vigo posted the story behind his involvement in the recent patches. It all started from him noticing that, when the wallet was used, the SMS feature kicked in even though it had not been explicitly authorized. The SMS gave him the option to reply with a six-digit code to make a payment to another person using Venmo. Whomever was being given this payment had to re-enter this code for the payment to progress.

iOS Quirks Could Lead to Problems

However, the iOS environment handles SMS messages in multiple ways. For example, Siri can send an SMS message even when a device is locked. This feature is on by default in iOS and became routinely used when the “Hey Siri” modification was added in iOS 9.

There is also a text message preview, which allows users to see in the lock screen who sent a text along with part of the content. This is also enabled by default. Vigo explained that these two features, along with the ability to reply to texts using Siri, allowed him to complete transactions without unlocking the device.

He also found that Venmo had operational problems in how it implemented SMS. Vigo discovered that one can activate the SMS notification service by sending an SMS to 86753 with the word “start.” The number 86753 is a short code owned by Venmo and used for all of its SMS notifications.

What this means was summarized by Softpedia: “Someone could pick up your iPhone, activate the SMS notification settings, ask for a payment from their Venmo account, tell Siri to read the SMS message that was just received, tell Siri to input the payment validation code inside a new SMS, send the SMS and voila — the attacker has just stolen your money.”

Self-Mitigation for Venmo Issues

Let’s say that the user was able to disable Siri in the lock screen as well as the SMS preview feature. All should be OK, right? Wrong.

Vigo thought of another way in: He tried to steal money remotely without access to the targeted user’s device. It involved brute-forcing the six-digit authorization code. But Venmo had already implemented a rate-limiting mechanism allowing users to try only up to five codes every five minutes, SecurityWeek noted.

Further research showed that each charge request had its own authorization code and generating a new request did not invalidate the previous code. An attacker would be able to send multiple requests directed to a single victim (or a single request to multiple victims) in an effort to increase the chances of finding the right authorization code.

Vigo contacted the company, and after some hemming and hawing it pulled the SMS feature from the product in its entirety.

This step by Venmo is in line with NIST’s recent report that depreciates two-factor authentication when done by SMS. The institute found too many conceptual vulnerabilities — not to mention the man-in-the-middle possibilities — to recommend the method.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today