Venmo, PayPal’s free digital wallet service, has come up with major service changes that address vulnerabilities as a result of one security researcher’s experience.

Martin Vigo posted the story behind his involvement in the recent patches. It all started from him noticing that, when the wallet was used, the SMS feature kicked in even though it had not been explicitly authorized. The SMS gave him the option to reply with a six-digit code to make a payment to another person using Venmo. Whomever was being given this payment had to re-enter this code for the payment to progress.

iOS Quirks Could Lead to Problems

However, the iOS environment handles SMS messages in multiple ways. For example, Siri can send an SMS message even when a device is locked. This feature is on by default in iOS and became routinely used when the “Hey Siri” modification was added in iOS 9.

There is also a text message preview, which allows users to see in the lock screen who sent a text along with part of the content. This is also enabled by default. Vigo explained that these two features, along with the ability to reply to texts using Siri, allowed him to complete transactions without unlocking the device.

He also found that Venmo had operational problems in how it implemented SMS. Vigo discovered that one can activate the SMS notification service by sending an SMS to 86753 with the word “start.” The number 86753 is a short code owned by Venmo and used for all of its SMS notifications.

What this means was summarized by Softpedia: “Someone could pick up your iPhone, activate the SMS notification settings, ask for a payment from their Venmo account, tell Siri to read the SMS message that was just received, tell Siri to input the payment validation code inside a new SMS, send the SMS and voila — the attacker has just stolen your money.”

Self-Mitigation for Venmo Issues

Let’s say that the user was able to disable Siri in the lock screen as well as the SMS preview feature. All should be OK, right? Wrong.

Vigo thought of another way in: He tried to steal money remotely without access to the targeted user’s device. It involved brute-forcing the six-digit authorization code. But Venmo had already implemented a rate-limiting mechanism allowing users to try only up to five codes every five minutes, SecurityWeek noted.

Further research showed that each charge request had its own authorization code and generating a new request did not invalidate the previous code. An attacker would be able to send multiple requests directed to a single victim (or a single request to multiple victims) in an effort to increase the chances of finding the right authorization code.

Vigo contacted the company, and after some hemming and hawing it pulled the SMS feature from the product in its entirety.

This step by Venmo is in line with NIST’s recent report that depreciates two-factor authentication when done by SMS. The institute found too many conceptual vulnerabilities — not to mention the man-in-the-middle possibilities — to recommend the method.

More from

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…