Venmo Security Flaw Could Leave Users Vulnerable to Losses Reaching $2999.99 per Week

Venmo is a popular mobile payment service that allows users to transfer money between one another with just a couple of taps on their phones. Your friend bought you a drink at the bar? You can use Venmo to pay him or her back immediately. Out for lunch and your buddy forgot his or her wallet? You can “charge” them – i.e. send them a notification that allows them to quickly pay you back via their phone.

The PayPal-owned service has grown significantly in the past couple of years, with users making billions of dollars worth of transfers in a matter of months. However, a recent security flaw was discovered by a product security engineer that could have allowed hackers to drain your account by up to $2999.99 per week.

Self professed “security geek”, and product security engineer for SalesForce, Martin Vigo, recently discovered a security flaw that took advantage of Venmo’s integration with Apple’s digital assistant Siri, allowing hackers to authorize payments for $2999.99 (Venmo’s weekly limit) on an iPhone without ever actually unlocking the phone.

The flaw took advantage of a “reply to pay” feature in the app, that allowed users to reply to a charge request from one of their friends with an SMS to authorize the payment. For example, if your friend wants to charge you, say, $8.00 for a drink he or she bought you, you may receive a text from Venmo notifying you of the charge request. The reply to pay feature allowed you to reply to the text with a six digit code to automatically authorize the payment. However, the fact that Siri allows several functions without actually unlocking the phone, one of which being the ability to send SMS messages. Combine the two, and you have a massive security flaw.

Although SMS notifications aren’t activated by default in the Venmo app, Vigo discovered that users can activate SMS notifications via text, as well. By sending a text containing the word “Start” to 86753, the short-code number Venmo uses for SMS notifications, you can enable the SMS notifications on a device. Siri can be used to do this without ever unlocking the phone.

Once SMS notifications are enabled on a device, someone looking to drain your account can send your device a “charge” notification, check the SMS preview on your lock screen to see the six-digit code to authorize the charge, and use siri to send another SMS to 86753 containing the code to authorize the payment. All this can be done without ever unlocking the phone.

Vigo quickly reported the flaw to Venmo, and the company responded by adding a series of spaces to the six-digit authorization code – enough that the code wouldn’t appear on the SMS preview on your lock screen. However, Vigo then discovered that he could use the Siri command to “read my latest text” to have the authorization code read aloud, allowing him to continue exploiting the flaw from there. After some back and forth, Venmo made the decision to remove the SMS “reply to pay” feature, and enacted a number of other security measures to ensure that the flaw was patched.

According to Vigo, communication “with Venmo’s security team was smooth and professional,” and he called the entire back and forth correspondence a generally “good experience.”

Venmo patched the flaw within 18 days of Vigo’s initial communication with them, and Vigo refused to publish the flaw until it was patched. The flaw is another reminder, however, that with added technology and convenience, hackers are often more and more able to take advantage of our devices. It’s always important to keep your OS and apps updated to be sure any security flaws that have been detected are patched.

Do you use Venmo? How do you feel about this possible security breach? Let us know in the comments below!