A popular finance and budgeting mobile app was leaking email addresses and other sensitive data to anyone who was logged in to the platform, researchers discovered earlier this week.
As reported on BleepingComputer, cybersecurity researchers from Trustwave were looking into the traffic of an Android (opens in new tab), iOS, and Windows app called Money Lover using a proxy and the Web Sockets view in the browser’s Developer Tools, when they stumbled upon a quickly populating list of email addresses and other data. Further investigation uncovered that the emails belonged to users of the so-called “shared wallet” feature.
Shared wallets leaking
As a finance and budgeting app, Money Lover allows multiple users to collaborate on a single, shared wallet. Think of it as a wallet for the home budget, where multiple household members can log their expenses and track overall spending. As expected, users sharing the same wallet can see each other’s emails. However, so can anyone else who’s logged in to the platform, and that’s the problem. What’s more, researchers have found that live transaction metadata was also being broadcast.
“The shared wallet transactions disclose user information, such as the user’s email address and shared wallet name,” Trustwave reported. “The email address and shared wallet name can be viewed via the Web Sockets tab of the browser’s “Developer Tools.” All Money Lover users who make use of the Shared Wallet feature are affected by this issue.”
The researchers did not say when they discovered the vulnerability, or how many users were affected. What we do know is that Money Lover was downloaded more than five million times on the Google Play Store, alone.
To keep their emails safe, users are advised to update the app to the latest version as soon as possible, otherwise their email addresses might get bombarded with phishing emails and malware infection attempts.
Via: BleepingComputer (opens in new tab)
