A critical flaw with PayPal-owned Venmo left iPhone users’ accounts exposed to a lethal account that could have allowed attackers to steal $2,999.99 in just two minutes.
The Venmo security flaw was discovered by Salesforce security engineer Martin Vigo who found that Siri can be used on locked iPhones to drain an account just by sending a few text messages.
Check out the hack in action:
https://www.youtube.com/watch?v=2BmN7NCMES4
All an attacker had to do was tell Siri to send a text message to 86753 containing the word “START”. If the iPhone has a Venmo account associated with it, the attacker can then request to send a payment. The max you can do is $299.99 per transaction, with a limit of $2,999.99 per week.
The attacker can then get the one-time verification code by asking Siri to read the text message and then it’s easy pickings. Luckily, Venmo says that they fixed the problem 18 days after it was reported by Vigo, but the fact that the flaw existed at all won’t bode well with customers.
