A data leakage vulnerability that security researchers recently discovered in a popular financial management application illustrates the danger of using application programming interfaces that are not watertight.
The now-fixed vulnerability in the app's API exposed information about users that fraudsters could exploit in spear-phishing attacks.
The app, Money Lover, has 5 million downloads and is available for iOS, Android and Microsoft devices as well as through a web app. Money Lover lets users budget and track spending across financial accounts, similar to Mint and Personal Capital. Finsify, the company based in Hanoi, Vietnam, that maintains the app, mainly targets customers in the U.S. and Vietnam but also serves Thailand, Indonesia, Malaysia, India and Hong Kong.
Security researchers at the cybersecurity company Trustwave discovered the data vulnerability and contacted Finsify about it on Nov. 24. Trustwave hackers had been probing the Money Lover web app and found that it was leaking information about other Money Lover users, including emails, wallet names and transaction IDs.
It is unclear whether malicious actors caught onto the problem before Trustwave's ethical hacking team, known as SpiderLabs, stumbled across it because Finsify did not respond to requests for comment.
Salt Labs researchers exploited four types of vulnerabilities in the application programming interfaces of a large financial company. Their findings contradict conventional wisdom about the safety of APIs in the sharing of consumer data.
Karl Sigler, senior security research manager at Trustwave, said the vulnerability was "incredibly easy" to uncover, requiring no special tools. SpiderLabs researcher Troy Driver, a Money Lover user himself, came across the issue while observing network traffic between the web app and the Money Lover API. All he had to do was open the developer tools on his web browser.
"While passively observing, I browsed to the Web Sockets tab and found a few unknown email addresses," Driver wrote in
The email addresses turned out to belong to users of Money Lover's shared wallets feature, which allows multiple users to collaborate on expense logging, and Driver said all Money Lover users who make use of the feature are affected by this issue.
Sigler said the data fortunately cannot be used to directly access accounts — the API was not leaking passwords or other such credentials — but the highly sensitive data could be used to target users with spear-phishing emails.
"For instance," Sigler explained, "I could contact somebody who uses the shared wallet and say, 'Wow, that last transaction you sent over with this transaction ID didn't go through. Could you please just Venmo me that cash to this address?'"
Trustwave researchers attempted to email Finsify about the data exposure on Nov. 24, Sigler said, but they did not get a response until they sent a message to the company's Facebook page.
Once the SpiderLabs team sent over the technical details of the vulnerability, Finsify went dark, Sigler said. SpiderLabs has not heard from officials there since, and Finsify did not respond to American Banker's requests for comment sent via email and Facebook Messenger.
SpiderLabs started working up a public disclosure that would give Money Lover users notice that their data was not secure, but on Jan. 27 the vulnerability suddenly disappeared.
Finsify patched it without ever telling SpiderLabs they were working on or completed a fix.
"It's an odd situation," Sigler said. "If the organization did patch the vulnerability, typically they want to talk about that." Companies tend to want to show off to users that they are working to secure their product. "In this case, they just wanted this silently patched in the background."
Once the fix came out, SpiderLabs went forward with publishing its findings, including screenshots of the data the Money Lover API was leaking — redacted for privacy. According to Sigler, this is exactly the kind of problem he expects to see more often in years to come.
"A lot of security professionals are really digging into those back-end APIs," Sigler said. "It's just been a gold mine of vulnerabilities. In a lot of cases, the tools to look for those types of vulnerabilities are easy and free."
For ethical hackers, that's good news because it means easy money submitting such simple weaknesses to bug bounty programs. For the companies that host them, the consequences of unprotected APIs can be more grave.
"We see some of these APIs that are vulnerable to SQL injection attacks, which could compromise the entire back-end server," Sigler said. "If you're a vendor that uses an API to access data, take a look. You might have some things you want to lock down."
