Venmo is a PayPal-owned money transfer app that’s soared in popularity recently, as it allows you to settle bills and pay friends with just a couple of taps. In addition to sending money, you can request that people pay you.
And until recently, anyone could drain a Venmo account on a locked iPhone, just by using Siri. Awkward.
The flaw was discovered by Martin Vigo, a product security engineer for SalesForce. It takes advantage of the fact that iOS lets you perform a limited array of actions, like sending text messages and initiating phone calls, without actually having to unlock the phone with a PIN number or fingerprint.
In this scenario, an attacker would tell Siri to send a text message to 86753 saying “START”. This enables the Venmo SMS service. Then, the attacker has to issue a request for payment to the compromised device. The maximum amount that can be requested is $299.99, with a weekly limit of $2,999.99.
Venmo will then ask the victim to confirm the request. It will do that by sending an SMS with a one-time code. The recipient has to text this back to Venmo in order for the payment to go through. But the attacker can do that by asking Siri to read the last message received, making a note of the number, and then telling Siri to send a text back to the Venmo shortcode with it.
To Venmo’s credit, the problem was fixed within 18 days of being notified by Vigo. This meant killing the “reply-to-pay” function. While this will undoubtedly inconvenience those using the service on feature phones and other unsupported platforms, there was apparently no secure way to keep it.