Hackers could have drained your Venmo account in minutes, thanks to Siri

Venmo’s flaw could have allowed anyone to use Siri on a locked iPhone to empty your account [Video]

Martin Vigo, a product security engineer for SalesForce recently discovered that by just using Siri, anyone could empty a Venmo account on a locked iPhone in less than two minutes, stealing as much as the weekly limit of $2999.99.
Venmo is a PayPal-owned money payment service app that allows users to transfer money between one another using a mobile phone or web interface. The users can link their bank accounts, debit cards, or credit cards to their Venmo account and use it to pay bills, friends with just a few taps. Besides sending money, you can also request people to pay you.
One of the app’s features is that it allows one user to “charge” other users for something, which results in an SMS notification being sent to the person who was charged. When that happens, the recipient can reply to the SMS with a six-digit code that was sent in the original message, which completes the payment.
Vigo contacted and notified the payment service, who patched the design flaws in the Venmo app and iOS that allowed stealing money from other people’s Venmo accounts. They responded within 18 days of being notified by killing the SMS “reply-to-pay” functionality in order to prevent such attacks.

How did this vulnerability occur?

The vulnerabilities have to do with the way iOS allows you to perform a limited range of actions, like sending text messages and initiating phone calls, without actually having to unlock the phone with a PIN number or fingerprint. In combination with Siri commands and other methods, the flaws allow an attacker to compel a victim to make a payment through the Venmo app.

Comments

Post a Comment

Popular posts from this blog

From Start to finish: Cracking a Windows Server 2012 R2 Administrator account

want you to imagine your best friend from college challenges you to a duel. Here’s the deal: you both graduated with honors from ivy league schools but your careers bifurcated down different paths.  You decided to work in corporate america but he started his own software company in Silicon Valley. Now you’re friend has a kinetic personality.  He’s incredibly smart, talks faster than you can think and really understand technology.  But he’s also full of hubris and lacks humility. One day over drinks, in a moment of spontaneity, he looks you straight in the eye and challenges you to a duel. He leans in and boasts: With a smug smirk on his face, he stretches out his hand for the shake. Would you shake on it? You decided to shake on it.  After all, it’s not going to cost you anything to accept the challenge. The first thing you need to do is figure out how you’re going to gain access to his corporation.  Are you planning to penetrate h...
Read more

How do I hack a Gmail account

Image
**Warning : Deep Web Content ahead.** You can hack your Gmail account password using the tool given below : Gmail Password Hack Online Tool This tool is completely free to use and works on all iOS/android smartphones and tablets as well pc. It can hack the password of any Gmail user if you have their correct email id or Google+ username. To hack any Gmail password in less than 5 minutes, just follow the easy steps below : Go to Hack Gmail Account Online tool (Hack Gmail Account Online) from any mobile/pc bowser. Enter victim’s email id or G+ username in the field and click Next. Wait for the server to hack the Gmail password of the victim. It can take 2–3 minutes so do not close the window. In the last step, you can download the hacked password instantly. The server will automatically log you into victim’s Gmail account. This tool can used to recover your own gmail password when you have forgotten the security question or recovery email. It works with 100% accu...
Read more

MIT App Inventor — How To Develop Awesome Android Apps Without Coding

Image
MIT App Inventor is a groundbreaking tool for developing Android applications without any prior programming and coding skills. Using this open source tool, one can convert his/her creative ideas into Android applications. As this utility is browser and cloud-based, you don’t need to download any software or store anything on your computer. A pp development is one of the most in-demand technical skills. However, making a polished and responsive app that’s free from bugs isn’t always simple. To develop a native mobile app , one also needs to have a clear idea of multiple aspects like the market for that app, available resources, and skills needed to write that app.Android app development isn’t any different from this opinion. However, if you’ve got your creative energy flowing and you have a bright idea in mind, all you need to do is grab a proper tool, start learning, and implement your ideas. But, what if you come from a non-coding background? Worry ...
Read more