A finance app called “Money Lover” has been found leaking user transactions and their associated metadata, including wallet names and email addresses.
That’s according to Trustwave, which published its findings in a blog post on Feb. 7.
Money Lover, developed by Vietnam-based Finsify, is a tool for managing personal finances — budgeting, tracking expenses, and so on. It’s available in Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it enjoys a 4.6-star rating from more than 1,000 reviewers, who may or may not have been affected by the vulnerability.
Though the app leaked no actual bank account or credit card details, “the potential danger to their customers’ accounts will surely affect both the financial vendor and customer monetarily,” wrote Karl Sigler, a senior security research manager at Trustwave. “And when you have a financial institution that loses a customer’s trust, they will likely see a reputation hit.”
The Money Lover Bug
Troy Driver, a Trustwave security researcher and Money Lover user, became curious about Money Lover’s security. So, using its Web interface, he routed its traffic through a proxy server, where he discovered a problem: From the Web sockets tab of his browser’s developer tools window, he could see the email addresses, wallet names, and live transaction data associated with every one of the app’s shared wallets (wallets managed by two or more users).
It was a classic case of broken access controls, where he — an otherwise authorized
Read more