The Money Lover financial app for Windows, Android, and iOS suffered a bug that allowed any logged-in user to peek at the email addresses and live transaction metadata for other users’ shared wallets.
This finance application could allow users to manage their budgets and expenses. The app has garnered five million downloads on Play Store and is also downloadable on Windows and iOS.
The primary feature of the Money Lover app is that it could enable its user to develop shared wallets with specific users, such as family members. The feature’s purpose is to allow its user to collaborate with someone in expenses and monitoring.
Users invited to a shared wallet commonly have a close relationship; hence, sharing email addresses and data is unavoidable. Unfortunately, recent research revealed that the transaction data and email addresses connected to the shared wallets are leaked to any authenticated user of the application.
Therefore, the email address and shared wallet name could be viewed by app members through the Web Sockets tab of the browser’s Developer Tools.
The bug impacts all Money Lover users who opted for a ‘Shared Wallet’ feature.
The researcher spotted the information disclosure vulnerability after it studied the Money Lover app’s traffic via proxy and the Web Sockets view in the browser’s developer feature. The research confirmed that the exposed data included the users’ wallet names, email addresses, and limited transaction details.
The analyst believed these might have been the emails of the developers of a JS archive. However, further examination clarified that the application’s server exposed sensitive information when the list gained more traffic with more addresses.
Fortunately, concerned individuals reported the vulnerability to Money Lover’s publisher, which immediately published a patch for the flaw last month. However, the report did not indicate when the defect was discovered or how long the duration where the Money Lover users remained publicly accessible.
The only precise detail of the bug is that the information leakage only impacted users that utilised the shared wallet tool. Therefore, the primary problem of this new flaw is that malicious entities could have accessed users’ email addresses and transaction metadata, which could be a primary target for phishing attacks.
