A finance app called "Money Lover" has been found leaking user transactions and their associated metadata, including wallet names and email addresses.
That’s according to Trustwave, which published its findings in a blog post on Feb. 7.
Money Lover, developed by Vietnam-based Finsify, is a tool for managing personal finances — budgeting, tracking expenses, and so on. It’s available in Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it enjoys a 4.6-star rating from more than 1,000 reviewers, who may or may not have been affected by the vulnerability.
Though the app leaked no actual bank account or credit card details, "the potential danger to their customers’ accounts will surely affect both the financial vendor and customer monetarily," wrote Karl Sigler, a senior security research manager at Trustwave. "And when you have a financial institution that loses a customer's trust, they will likely see a reputation hit."
The Money Lover Bug
Troy Driver, a Trustwave security researcher and Money Lover user, became curious about Money Lover's security. So, using its Web interface, he routed its traffic through a proxy server, where he discovered a problem: From the Web sockets tab of his browser’s developer tools window, he could see the email addresses, wallet names, and live transaction data associated with every one of the app's shared wallets (wallets managed by two or more users).
It was a classic case of broken access controls, where he — an otherwise authorized user — was able to view data that should have been kept outside of his permissions.
"Based on the small amount of information in the blog," Stephen Gates, security evangelist at Checkmarx, speculates to Dark Reading, "I would suspect that an API in use has an API1, API2, and/or API3 vulnerability,” aka broken object level authorization, broken user authentication, and excessive data exposure, respectively (all forms of broken access control).
Such vulnerabilities are extremely common. Every few years or so, the Open Web Application Security Project (WASP) releases a Top 10 list, using extensive testing and surveys of industry professionals to track the most common web security vulnerabilities. In its latest 2021 iteration, broken access controls made the No. 1 spot on the list.
Broken access isn’t just prevalent, though — it’s dangerous. "If the app has one or more of the above vulnerabilities," Gates adds, "it’s just a matter of time before attackers craft the perfect request to possibly gain access to even more data."
The Implications of the Bug
While the sensitive data in this case isn't all that sensitive (i.e., not payment card details or credentials), users would be advised not to pooh-pooh cases like this, as they can lead to more pointed attacks further down the line. For example, cross-referencing email addresses with past leaks could potentially lead to account takeover or impersonation.
Even the basic metadata leaked by Money Lover could be something to go on, for hackers that like to use every part of the animal, as it were.
"For instance," Sigler explains, "a scenario could occur where an attacker reaches out to one of the users sharing a wallet via email and suggests that funds aren't seen in a specific shared wallet name and transaction ID. The attacker could then recommend the person transfer money to a different account or maybe log in to 'check' the transaction but provide a link to a credential capture webpage."
Sigler puts it bluntly: "There is no reason for any Money Lover user to be able to see the transactions of any other user. Tightening up permission to just authorized users is an important security control."
As of Jan. 27, the Money Lover app patched the vulnerability; users should update their apps to the latest version.