"'Money Lover' Finance App Exposes User Data"
According to Trustwave, the "Money Lover" financial app is leaking user transactions and their related metadata, including wallet names and email addresses. Money Lover is a tool developed by Vietnam-based Finsify for managing personal finances. It is available on Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it has received a 4.6-star rating from over 1,000 users who may or may not have been affected by the vulnerability. Even if the app spilled no actual bank account or credit card information, the potential threat to their customers' accounts would have a monetary impact on both the financial vendor and the customer, according to Trustwave senior security research manager Karl Sigler. Troy Driver, a Trustwave security researcher and Money Lover user, routed the app's traffic through a proxy server using its Web interface and uncovered the issue. From the Web sockets tab of the developer tools window of his browser, he was able to view the email addresses, wallet names, and live transaction data linked with each of the app's shared wallets. This article continues to discuss the broken access control vulnerability that could have led to follow-on attacks for users of the Money Lover app.
Dark Reading reports "'Money Lover' Finance App Exposes User Data"