A flaw in the Money Lover financial app for Android, iOS and Windows allowed any logged-in member to see email addresses and live transaction metadata for other users’ shared wallets.

Money Lover is a financial app for users to manage their expenses and budgets that has been downloaded five million times on the Play Store, the app is also available for iOS and Windows.

Money Lover App on Play Store
Money Lover App on Play Store (Computer Beep)

Money Lover allows users to create “shared wallets” with specific users, such as family members or colleagues, to record transactions to collaborate on recording and tracking expenses.

Users invited to a shared wallet usually know each other, so sharing data and email addresses is expected.

However, Trustwave analyst and Money Lover user Troy Driver found that transaction data and email addresses associated with shared wallets are exposed to all authenticated users of the app.

“Shared wallet transactions disclose user information, such as the user’s email address and shared wallet name,” reads the Trustwave Report.

“The email address and name of the shared wallet can be viewed through the Web Sockets tab of the browser’s “Developer Tools”. All Money Lover users who use the shared wallet feature are affected by this issue. “

The analyst discovered the information disclosure flaw by examining application traffic using a proxy and the Web Sockets view in the browser’s developer tools.

Review of generated traffic
Review of generated traffic (wave of confidence)

The data exposed included email addresses, wallet names, and limited transaction data.

The analyst thought it might be emails from the developers of a JavaScript library. However, when the list was quickly populated with more addresses, it became clear that the app’s server was leaking sensitive information.

Sensitive shared wallet information exposed
Sensitive shared wallet information exposed (wave of confidence)

Trustwave reported the issue to Money Lover’s publisher, Finsify, who released a fix update on January 27, 2023.

The report did not specify when the flaw was discovered or how long Money Lover users remained exposed.

It is essential to clarify that the information disclosure bug only impacted users who used the shared wallet feature.

The main implication of this flaw is that an attacker gaining access to email addresses and transaction metadata could perform targeted phishing attacks against exposed users to gain access to other sensitive information.

It is recommended that Money Lover users update their app to the latest available version using their operating system’s app store.

Source link