A critical flaw with PayPal-owned Venmo left iPhone users’ accounts exposed to a lethal account that could have allowed attackers to steal $2,999.99 in just two minutes.
The Venmo security flaw was discovered by Salesforce security engineer Martin Vigo who found that Siri can be used on locked iPhones to drain an account just by sending a few text messages.
Check out the hack in action:
https://www.youtube.com/watch?v=2BmN7NCMES4
All an attacker had to do was tell Siri to send a text message to 86753 containing the word “START”. If the iPhone has a Venmo account associated with it, the attacker can then request to send a payment. The max you can do is $299.99 per transaction, with a limit of $2,999.99 per week.
The attacker can then get the one-time verification code by asking Siri to read the text message and then it’s easy pickings. Luckily, Venmo says that they fixed the problem 18 days after it was reported by Vigo, but the fact that the flaw existed at all won’t bode well with customers.
Buster Hein is a freelance writer who lives in Phoenix, Arizona. Twitter: @bst3r.
2 responses to “Venmo flaw allowed attackers to use Siri to drain accounts”
I basically make close to $6,000-$8,000 /a month working online. So if you are looking to work basic online jobs for several h daily from comfort of your home and make decent paycheck while doing it… Then this work opportunity is for you… OW.LY/KO8A300yJQn
uyjuykjuyhhsrteytj
The “Attacker Account” would have to have a linked debit card/bank account which would identify him/her to Venmo allowing tracing and reversal of any fraudulent activity. You can also prevent you phone from sending texts while locked. Still scary though.