Editor's Note: Dark Reading was able to verify that the issue Cerrudo found was present as of June 24, when we created an account on Veem and confirmed that the personal information and partial bank account information was visible to anyone else. We also confirmed that even after deleting the account, most of the information remained accessible. We contacted Veem, and they provided this comment:
"Veem is committed to safeguarding customer information and funds and has in place a comprehensive security program that includes internal, external and regulatory assessments. We have responded to Mr. Cerrudo, and we continue to evaluate information provided to us by customers or third parties to ensure that any issues raised from those sources are included in our roadmap, as appropriate. As a matter of policy, we do not publicly comment on specifics of our program, other than to reinforce that we take our obligations seriously and devote substantial resources to deliver services in a reliable and secure manner."
Over the years I have made hundreds of disclosures, and it still amazes me how some companies have such bad security practices and lack of security awareness.
This is a cybersecurity horror story from Veem, a well-funded fintech company that clearly fails badly at security and privacy. What's Veem? From its site: "Easily pay vendors and contractors domestically or internationally in over 100 countries, and get paid faster with one simple, yet powerful digital payments solution. With more payment flexibility and visibility, Veem gives small businesses the power to save time and control cash flow."
This all started when I was using the Veem service. It was pretty good, cheap, and easy to use. I liked it, and I recommended it. But I grew concerned about Veem's approach to security.
First I noticed that it displayed too much information about Veem users who weren't in my contact list. I just ignored it, though, and kept using it. Then one day, I was unable to log in and was forced to change my password via an email with a link to a form. I used the form to change my password, but I noticed something weird in this process, so I left the email marked to take a look at later.
After some days, I remembered about the email I saved and went to take a look. I clicked on the link and was presented again with a form to change my password. That was unusual — the link should have expired because I had already changed my password and because too much time had passed since the link was sent to me. Then, when examining the link, I realized that it was sent using the Mailchimp add-on Mandrill. That meant that this platform, a third-party email marketing and automation service, had access to change my password for many days, since it had the link saved in its systems. This is a really bad security practice that any minimum security check should have identified. I started to believe that Veem's systems hadn't been security tested.
After I found this password change security issue, I got a bit worried about Veem's security overall. It's a fintech solution that allows users to send and get payments, so it deals with a lot of money from its users, including myself. I decided to take a deeper look at some functionality that had looked strange to me but I had ignored earlier. I logged in, accessed this functionality, and, to my surprise, I found out that they were leaking all users' personal information, such as full name, address, city, state, country, email, phone number, date of birth, bank name, account type, and last four digits of bank account number. I couldn't believe what I was seeing — anyone could easily access any Veem user's personal information.
I had to quickly report these issues — especially the last one, which was very critical. After I got help finding the correct contact email, on March 29, 2022, I emailed [email protected] detailing the problems. I was hoping for a quick answer, but no. On April 2, I emailed again, and after two days, still no answer. I was getting worried, since when you report such a critical issue, you should get an instant response. Every day that passes means someone gets another chance to exploit the issue.
Thinking about how to get a response, I got an interesting idea: What about using the security issue to find out information about Veem executives? So I got the Veem CEO's information — all of his information, but I really just needed the email address. I didn't think cold-calling him would be a good idea, and no, I'm not doxing him here. :)
On April 4 I sent an email to the CEO:
Hi, I sent this (I forwarded previous email sent to [email protected]) almost a week ago and I haven't had any answer.
There is at least a serious issue that leaks users personal information such as full name, email, date of birth, address, phone number, name of user's Bank, bank account last 4 numbers, etc.
Please have your security team take a look and answer ASAP.
Chief Research Officer
Later that day, I got the following from [email protected]:
I want to thank you for proactively reaching out to us regarding the vulnerabilities you have found on our web application. Unfortunately, we do not have a bug bounty program or a financial reward at this time and there are no exceptions for one-time rewards either.
In the meantime, we hope you continue leveraging the Veem network for your payments, and keep us informed on any future feedback you may have that will make it better and safer for all of our customers.
Thank you for your time and understanding.
Cyber Security Team
As you can see, they clearly didn't realize the criticality of the issue and thought that I was just looking for some reward. I had to explain (cc'ing the CEO just in case):
I'm not looking for any reward, I just want you to take a look at the issues and fix them ASAP, once they are fixed let your users know about it. Also in the meantime provide feedback.
For a financial institution it is very serious to leak customers information.
btw, I'm CCing your CEO so he is aware of this, I got his personal information from Veem platform.
Chief Research Officer
Then, after two days, they replied:
Thanks for following up.
Apropos your findings, we are already tracking the two information leakage-related gaps in our risk register. These gaps exist to support otherwise desirable features — changing their design to eliminate this avenue for data exfiltration is nonetheless on our product roadmap. However, because this logic exists to support features which our customers expect to work, there is no quick or easy solution available. We recognize that this is a shortcoming and are planning appropriate redesign — prioritizing security and privacy, while also retaining essential parts of our product's user journey and customer experience.
Regarding password reset links, you raise an entirely valid concern regarding link expiry. We have scheduled a fix for release in an upcoming sprint cycle.
Once again, thank you for your proactive outreach and for helping us improve the security and privacy of our platform.
Veem security team
Please Prioritize Security
Cool, so they're fixing the password reset issue, but the personal information leakage is a feature they can't easily fix? How are they "prioritizing security and privacy"? Welcome to the 2020s, where fintechs prioritize functionality over security and privacy.
At this point it was clear to me that this was a very immature company in terms of cybersecurity and privacy, so I would have to deal with this in the best possible way and try harder to make them understand the issues, collaborate, and act quickly. I replied:
Thanks for getting back with more details.
I completely understand your challenges and point of view. What I would like is to have more visibility on this, so I would like to get some timeline information, like when are you planning to start working on the fixes and when they will be ready. As you may know, when vulnerabilities are reported is called responsible/coordinated disclosure, it requires collaboration from both sides and there is a limited waiting period for the issues to be fixed. We can't wait forever, holding back the vulnerability information we have that affects several thousand of your users, if you don't fix it in a short period of time we need to go public and let people know about the issues. If you are not familiar with responsible/coordinated disclosure, please take a look at it to understand these common practices on cyber security.
I'm open for a quick call if you like so we can be on same page on this.
Chief Research Officer
Twelve days after the above email was sent, I still had no answer at all, so I asked for news. The following day they replied:
We are actively addressing these findings.
Please be assured that we take this seriously and that customer security and privacy are at the top of our priorities.
Veem Security Team
I wasn't happy with the answer. Such a delay and lack of communication doesn't reflect taking security and privacy seriously.
Anyway, I waited for a few days to see if they would get back to me again with more updates — but, no, I had to email them again:
I'm sorry but it seems you are not understanding how severe the issue is and how to manage it. Please let's have a call urgently and have some decision maker attend. I'm available most days from 1:30pm to 3pm ET
Chief Research Officer
The same day, they replied:
We would like to send you our SOC2 report and set up a discussion but need to put an NDA in place to do so. Our CSO proposes that we connect at 2:15 pm EST on 5 May 2022 to address questions you may have. Here is the link for our eNDA http://bit.ly/VeemNDA
Veem Security team
That was weird — why did they mention the SOC2 report? They wanted to show me they were in compliance? But were they? Also, that was on April 25, and they wanted to have a call in two weeks — more than a month since I sent the initial report — so clearly they didn't feel any urgency.
Plus they wanted me to sign a nondisclosure agreement (NDA). That was an indication of suspect cooperation, in my experience; when a company dealing with a disclosure brings an NDA, it's highly probable they want to keep everything hidden. I discussed this with my team at Strike and got back to Veem the next day:
Ok, let's confirm the call for 2:15 pm EST on 5 May 2022. We don't usually sign NDA for this so I have to consult our lawyer and will get back to you ASAP.
Chief Research Officer
After taking a look at the NDA with our lawyer, we identified that it said: "evaluate the potential for, or the expansion of, a business relationship between the parties..."
Why would they want us to sign an NDA that mentions business relationships?
Avoiding the Problem
On April 28 I replied:
After evaluating the NDA, it says: "evaluate the potential for, or the expansion of, a business relationship between the parties" which doesn't make sense since we aren't talking about any business here.
Also the NDA should explicitly exclude the vulnerability information I already shared with you and any previous communication before the NDA is signed. I see two options, we don't sign the NDA or the NDA is modified with my requests. Anyway, I think we can have the call next week without NDA, what's important is to talk about current situation and plans to fix it.
Chief Research Officer
Unsurprisingly I got no answer. Then on May 4, one day before the call was supposed to take place, I asked for updates:
Hi, are we having the call tomorrow? please send an invite.
Chief Research Officer
and later the same day I got the following:
We are pleased to convey that your concerns have been addressed and our platform has been updated. As such, a meeting will not be required.
Thank you for being our valued customer.
Veem Cybersecurity Team
Whoa, that was really a surprise. I didn't like the answer, but I thought, "OK, at least they fixed the issues." Of course I have to check, though, so I took a look at the issues again.
The password reset issue was partially fixed but only partially because they continue to use the same mailing/marketing service. And surprise, surprise, surprise — the main issue was not really fixed :(
For the personal information leakage, they only removed the date of birth and the last four digits of the bank account number. But the last four digits of the bank account number were still displayed in another field in same HTTP response, so they were still leaking everything except the date of birth. Really bad fixes.
In Short: Terrible
After many efforts and goodwill from our side, Veem proceeded in a very unprofessional and noncollaborative way, demonstrating lack of security and privacy awareness. We decided we needed to go ahead and publish this in order to let people know.
The personal information leakage can allow cybercriminals to easily perform several attacks, such as phishing, SIM swapping, etc., resulting in possible huge money losses.
Veem didn't notify its customers about the issues. Instead it tried to silently fix them — and failed.
Veem users should contact Veem directly and ask for an explanation. In the meantime, we recommend Veem users to set the "List my Information" or "List my business" (depending on account type) user account setting to "NO" — it is set to "YES" by default. Setting it to "NO" doesn't prevent the personal information leakage, but it does make it a bit difficult.
It's hard to understand how a company that has $100 million in investments doesn't allocate proper resources to cybersecurity and privacy, especially when dealing with users' money. Also, I wonder if they are violating any regulations.
Sadly, bad security and privacy practices are not exclusive to Veem. Many fintech companies choose feature release speed and great user experience over security and privacy. From one side, they want to get more customers and delight them, but from the other side, they don't properly protect their customers' data and privacy. Security and privacy should always be top priority, especially in fintech.