Home » How to steal $2,999.99 in less than 2 minutes with Venmo and Siri

Venmo post logo

How to steal $2,999.99 in less than 2 minutes with Venmo and Siri

Venmo is a very popular mobile app which simplifies payments among friends. Once you link your bank account or credit card, you can start sending money to others, instantly.

With Venmo, you are not limited to just make payments. It allows you to charge others as well. Say your friend had no cash for that tasty burrito and you paid for it. You have the option to be proactive and “charge” your friend using Venmo. Charging someone does not mean that the money will be withdraw from his account, it just means that he will get a notification and see the pending payment in his account. Your friend has to accept the charge in order for the payment to happen. And this functionality is what we are going to take advantage of.

Venmo notifications

Just as any other mobile app, Venmo has a notification system to keep you up to date with any charges, payments, etc. By default, notifications are processed and rendered by the app. Every time something relevant happens, you will see the familiar alert pop-up on your mobile device screen.

Some time ago, a friend charged me for a bottle of Gin he bought while we were Gin charge SMSpartying at Bay2Breakers. I hate invasive notifications so I have them all disabled. However, instead of the classic “App notification”, I got an SMS. I’ve never notice this before and immediately thought this was a new feature in Venmo. Looking at the it, I realized that it was not just a notification, it was a call to action. The SMS gave me the option to reply with a 6-digit code in order to make the payment. I did so, and as expected the payment was processed.

This had me thinking I hadn’t authenticated to Venmo in order to make the payment. I simply replied to a text with the code I was given and that seemed sketchy.

Stealing money from locked devices

As mentioned above, one of the things you can do with Venmo is send a payment request to someone. It is as simple as paying somebody but instead of clicking “pay”, you click “charge”. The weekly limit is $2,999.99, hence the title of this post.

I remembered that you can use Siri to send SMS when your device is locked. It is worth noting that this feature is on by default and became especially popular when the “Hey Siri” feature was added in iOS 9.

Now that we know we can send SMS on locked devices, we need the code present in the SMS in order to reply and make the payment. Apple introduced the “Text Message Preview” which allows you too see in the lock screen who sent you a text and part of the content. This is also on by default.

If we combine these two, I am able to see the SMS with the code and can reply using Siri. All this without unlocking the device. All this out of the box. WIN?!?

Venmo’s SMS notification

Once I reproduced the attack on my phone, I was very excited. But before running to report it to Venmo, I wanted to make sure it was working on other devices. I tested on my girlfriend’s iPhone and to my surprise, I did not get an SMS. This ruined everything as in order for this attack to be “significant” I was looking to make it happen on devices with default configurations. Yes, I could see texts on the lock screen. Yes, I could reply to texts using Siri. But Venmo’s SMS notification was not enabled by default. I must have enabled it at some point in the past.

I really wanted to make this possible under default settings so I looked at everything all over again. While checking the SMS service, I started to reply with random characters which resulted in another SMS reply like the one below:

stop_sms
SMS reply to random data

When I read the SMS again I realized that I did not pay attention to the most important part: “Reply STOP to cancel”. Hmmm… If I can reply STOP to cancel the SMS notification service, can I send a text with the word START and activate it?

SMS to activate the service
SMS to activate the service

BINGO! You can activate the SMS notification service by sending an SMS to 86753 with the word “Start”. 86753 is a short code number owned by Venmo and used for all the SMS notifications.

Now, I am able to activate Venmo’s SMS notification service, see the secret code and reply to make the payment. All that without unlocking the device!

Venmo’s patch and workaround

SMS preview
SMS preview

When I reported this to Venmo, together with the other findings you can read below, they decided to fix this particular issue by adding additional spaces to the SMS that contains the 6 digit code. Because the Text Preview feature only shows a limited number of characters, Venmo added enough spaces to the SMS to prevent the code from been displayed on the lock screen preview.

Unfortunately, this fix is not good enough. I found a really easy workaround in which I could still find out the code. Again, all I had to do was to use Siri to “Read my latest text”. While I could not read it myself anymore in the lock screen, I can have Siri read it for me. Simple and effective!

Demo

Preventing this attack

There are several issues here and to be honest, this is not all Venmo’s fault. The problem is not just that you can pay by replying to an SMS. The problem is also that you can see the text and reply to it without unlocking the device. That is on Apple.

Venmo also let’s you enable the service over SMS and that should not be possible. Venmo should remove that functionality which will prevent this attack entirely (unless you already have it enabled). Given that disabling Venmo’s SMS notifications is not effective, you should disable SMS preview. You can also disable Siri in the lock screen so no one can send texts on your behalf.

Other possible attacks

Now that we know how to abuse the SMS notification system to make money, I wanted to further explore the possibilities of this service. After all, we still need physical access to the mobile device in order to perform this attack. I wanted to see if I could do the same thing but without having to see the SMS, basically brute-forcing the code.

I charged my own account to receive the SMS and started to input incorrect codes. I was expecting to have a number of tries and have the payment be canceled but instead, I got an SMS informing me that I exceeded the number of tries and that I would have to wait a bit to try again. Interesting! The payment is not canceled, there is simply a time based protection in place to make brute-forcing more difficult.

Wrong codes SMS
Wrong codes SMS

Have you noticed it too? “No one has requested money from you with that confirmation code %s“. Venmo told me there was no security impact, just a typo.

Anyway, the point is, after 5 tries I had to wait about 5 minutes till I could try another 5 times. The codes are six digits long so we have 1 million possibilities and we can try 5 codes every 5 minutes. Do the math. Possible but not feasible.

Codes are linked to payment requests

Since we cannot brute-force the entire code space, I tried to send 2 charge requests instead of one. Basically, I wanted to see if once I send the second charge request, the first one will be invalidated together with the code. Turns out that is not the case. Every charge request is associated to a new code without invalidating previous requests. This means that instead of sending one request and brute-forcing a million codes, I can send multiple charge requests and reduce the number of codes I have to guess!

I used Burp to look at the API and indeed, I was able to send 50 payment requests in a matter of seconds. Of course, this is very noisy. Remember that the victim will get one notification for every charge request… We need to improve this.

One request to multiple victims

My previous approach was to send multiple requests to the same victim in order to reduce the number of codes I have to guess. Since that is too noisy, I can send only one request but to multiple people instead.

User enumeration makes finding victims very simple and it takes just a few lines of code to write a script that will return a million valid Venmo user emails/phone numbers.

User enumeration in Venmo
User enumeration in Venmo

Instead of sending a million requests to one victim, we send one request to a million Venmo users. Once we do this, all we have to do is send a text to Venmo’s service with the same code for all the million users. Statistically we should at least have one match. We cannot forget about having to spoof the phone number of the victim when sending the SMS. That is trivially easy with services like Twilio though.

These attacks are theoretical and I did not try them. Venmo payments are known to be monitored and the last thing I want is someone knocking at my door asking why so many people owes me money.

Again, when I reported this to Venmo, they responded that it was not possible because of three reasons:

Short Code numbers cannot be spoofed

Venmo told me that it should not be possible to spoof SMS messages to short codes since they bypass SMS gateways where the spoofing would need to occur. I did not find how to do it either. Because this prevents the attack entirely, I started thinking that a short code number must be associated to a real number. And if I find the real number, I could perform the attack as I explained above because I would be able to spoof the sender.

Doing some tests with the settings in Venmo’s web, I managed to get a text from +1(646)-679-6604 instead of the shortcode 86753. Awesome! I also confirmed that you can get the charge notification through the shortcode number but reply with the 6 digit code to the real number. The payment will still happen making the attack possible again.

rate limiting MAKES user enumeration too expensive

Venmo thinks that it is not possible to enumerate accounts massively since “there is rate limiting in place to prevent abuse of this endpoint“. The problem here is that this is an unauthenticated call (you try to recover the password because you cannot log in) which means, the only way to have rate limits is to check from which IP the multiple requests are coming from. We can easily bypass this protection by using a list of proxies and iterate over them. Our IP will change every few requests without much performance impact (we need max 1 million valid accounts). Venmo should simply return the same message whether the phone number is valid or not.

Daily rate limit to the number of charge requests

Venmo claims that a user can only do a limited number of charge requests per day and that “it would prevent this attack scenario from scaling to the point where it would significantly improve your chances for brute forcing”. 

In reality, this makes the attack more tedious rather than impossible. The charge request limits are applied at a per user basis. It is possible to create multiple Venmo accounts and switch between them every time the request limit is reached. My tests indicate that you can make up to 50 charge requests per day. On average, you would need ~1500 accounts to successfully perform this attack. You also need a valid phone number to create an account which makes it trickier.

Responsible disclosure

As I mentioned, I disclosed my findings to Venmo responsibly. They accepted some of the issues I found, proposed patches and mentioned that some of my assumptions were incorrect. I explained above some of the workarounds I found already and I shared that with Venmo as well.

After some back and forth, Venmo took following steps to secure the app:

  • They killed the SMS “reply-to-pay” functionality. There was no good way to fix it. I am glad Venmo decided to kill a feature VS keeping it knowing it has flaws.
  • The real number cannot be used anymore. You cannot receive an SMS from the shortcode number and reply to the real number now.
  • The %s typo in the SMS was fixed

Communication with Venmo’s security team was smooth and professional. They kept me updated on the fixes as those were pushed to production and generally it was a good experience.

Timeline

  • June 1st, 2016: Disclosure to Venmo
  • June 8th, 2016: Venmo acknowledges some issues and discards others
  • June 10th, 2016: I question some patches and assumptions made by Venmo
  • June 15th, 2016: Venmo agrees and decides to kill the “reply-to-pay” feature
  • July 18th, 2016: Venmo notifies me that all fixes have been deployed

58 comments

  1. Lucio Guido says:

    Very interesting, great work and loved the way you “showed you work” allowing me to get a better handle on how security professionals can problem solve.

    Also, the best news is they learned to disable authenticating payments through SMS. The only part of your article I disagreed with was the assumption that it’d be best if SMS preview and reply was turned off from the lock screen.

    A) there are a number of life saving scenarios where being able to read and reply to texts without requiring an unlock. These include situations where the phone owner falls unconscious or is otherwise disabled as well as situations where important info needs to be shared when the person is driving, etc.

    B) texts are extremely easy to get sent to another device or to snoop on in other ways. Remember that it was recently decided that SMS can no longer be used for authentication for this very reason.

    C) the feature “hey Siri” makes the iPhone usable for millions of people who do not have use of their hands. It is important that we do not allow people who are disabled to be inherently less secure because “oh well, they should’ve disabled the feature”.

    Which is why fundamentally, no exchange of money should ever be confirmed via text.

    It is the responsibility of developers to ensure the information they send over SMS is not used to authenticate or do other information critical exchanges. In fact, doing so is quickly becoming illegal.

    • Martin Vigo says:

      Thanks for reading and providing feedback! I was maybe misleading but I did not meant to say that the solution was to disable Siri in lock screen. I said that while Venmo does not fix the issues, disabling Siri is an alternative solution. While you are right that Siri is super useful when the device is locked, this is still insecure and in my opinion you should have the option to enable it, but it should be off by default.

      Specifically to your points, I would say that:
      A) In life threatening situations you call 911 which is available even without Siri
      B) That’s true, but just because there are other ways to do it, that should not be a reason to not start somewhere to fix it.
      C) Agree 100%. That is why I mentioned that it should be an option to enable it but it should be secure by default.

      Thanks again for the feedback!

  2. upside says:

    awesome stuff buddy,
    i hate these companies who think there code and dev teams are the best,
    don’t get me wrong i wouldnt know where to start on systems like that but there getting paid for there ability lol,

    i like your approach and your tactics,
    and your motives for these “attacks” is for the better good of everyone and ethical

    and the way you wrote it up makes it crystal clear and a good read

    companies need to relise we are about 100 years behind in regards to security when it comes to the protection of the electronic data, so no matter what they make someone or some group of people will find a way as i’m sure you’ve proven that point more then once lol

    and when the prize is money like the above write up it gives the unethical persons enough reason to find that way to win the prize

    when is money safe?
    when its in your hand not in a server

  3. Bonnye says:

    My business account was hacked using Venmo & I don’t even subscribe to their service! I am in the middle of dealing with getting repayment of my monies from my bank…written to State Attorney Generals office, Consumer Financial Protection, Better Business Bureau….any other suggestions? My thoughts are go to local & national TV stations to try to make other people aware of this!!!

    • Martin Vigo says:

      That’s strange! If you don’t have a Venmo account link to your bank account, how did they manage to gain access through Venmo? Could you provide more details if possible? It is a very interesting case. Feel free to send me an email

      • Bonnye says:

        That is the million dollar question! I do NOT use Venmo! In my correspondence with my bank, they (customer service reps) said they didn’t even know what or who Venmo was. I discovered the money missing on January 16, 2017 and went down to the bank on 17th. The monies were taken on November 9th from my business account….the statement said” Mastermoney purchase, POS purchase terminal 12345678 Venmo 085581244 NY”. The bank seems to think they used my debit card. I chatted online with Venmo and they gave me the name (first name & last initial) of the person that received the money but would not give me any other info because of their “privacy laws”. The bank has not told me exactly what they are doing or whether my money will be refunded but will advise me by April 17, 2017.
        I have contacted OCC, BBB, State Attorney General’s office & Consumer Financial Credit Bureau. Most responses have asked if I am satisfied with bank’s response …obviously I am not satisfied.

        • Martin Vigo says:

          So, if I understand correctly, someone stole your debit card info and added it to their Venmo account to later make a purchase? That is pretty crazy, first time I hear that story. Thanks for sharing it with us. I hope everything will be fine on your side and you get a refund!

  4. Jim S says:

    About 2 weeks ago, I reported a basic loss of functionality to Venmo through their customer support. Issue not fixed and when I followed up for anticipated resolution today (4/3/17), the CSR wouldn’t/couldn’t tell me if the issue I reported two weeks ago was in their support database. Hmmmmm.
    ISSUE: Loss of copy functionality on iPhone (there still is copy functionality in the desktop version; not sure about Android) when attempting to copy historical information from a transaction. When holding my finger down, the copy balloon does not activate. This loss of functionality began when some changes to the UI were rolled out by Venmo about 2-3 weeks ago. When initially reporting this loss of functionality to Venmo (3/20/17), they denied this functionality was missing even after I asked them to attempt replicating on a support person’s iPhone. Hmmmm. Then I reached out to 5 random users of Venmo in Atlanta and each one of them confirmed they did not have this functionality either. I reported this to Venmo Support on 3/22/17. A trouble ticket was generated by Yelena in CS on same date.

    I’ve worked for Siebel, Oracle, and SaaS startups and worked with my Support teams to resolve client issues. I’d have to give Venmo low marks for their responsiveness and expertise regarding follow up, documenting issues (the CSR I spoke with on 4/3/17, said the issue I described to Yelena on 3/22/17 was not documented in their support system; she asked me to describe the issue again), and resolving them.

    It’s a very good app but their resolution of a basic functionality issue on what is probably their largest installed base of users (iPhone users), leave me wanting. Thoughts?

  5. proxy list says:

    Hello,I read your blogs named “How to steal $2,999.99 in less than 2 minutes with Venmo and Siri – Martin Vigo” like every week.Your humoristic style is awesome, keep doing what you’re doing! And you can look our website about proxy list.

Leave a Reply

Your email address will not be published.