Trustwave SpiderLabs Security Advisory TWSL2023-003: Information Disclosure Vulnerabilities in MoneyLover Published: 02/07/2023 Version: 1.0 Vendor: Finsify (https://finsify.com/) Product: MoneyLover Version affected: N/A: Web Application: November 9, 2022 Product description: Personal finance & money management app to track daily expenses & control budget Finding 1: Information Disclosure of Users with Shared Wallets via WebSockets *****Credit: Troy Driver of Trustwave CWE-200: Exposure of Sensitive Information to an Unauthorized Actor The mobile app allows you to manually log your transactions (spending and income), categorise and visualise income and expenses per month/year as well as connect to banks and create budgeting plans. Most have a features of the application work in the free version and anyone can register without the need to input bank cards or details. For free(normal) users, the transactions are commonly logged to the user’s “own” wallet. There can be “shared wallets” too if a wallet is shared between other MoneyLover users (i.e. family, partners, businesses). The mobile application is available and [Android](https://play.google.com/store/apps/details?id=com.bookmark.money), [iOS](https://apps.apple.com/au/app/money-lover-expense-tracker/id486312413) and even on the [Windows Store](https://www.microsoft.com/store/productId/9WZDNCRDRG5V). Besides the mobile applications, MoneyLover also has a web interface `web.moneylover.me`. A registered user can login to the Web UI and manage transactions. Once successfully authenticated to the web UI, the browser starts receiving traffic via WebSockets for real-time updates. Within the WebSockets messages lies an information disclosure bug in the form of live updates from users that has added or modified a “shared wallet” transaction. Some of the information disclosed are the email address of the user, wallet name, and amount. PoC can be performed with Burp Suite Proxy or just using a normal browser. Kindly see screenshots. Steps to reproduce" 1. Using a valid user, authenticate to `web.moneylover.me` using a web browser. 2. Open `Developer Tools`->`Network`->`WS`(WebSockets) and refresh the webpage 3. Click on the WebSockets traffic and navigate to the `Messages` tab. 4. Observe as live updates arrive containing details of other users regarding activities on Shared Wallets. Vendor Response: Silently installed backend fix sometime in late January 2023 Remediation Steps: None necessary. Fixed on the backend. Revision History: 11/24/2022 - Initial outreach via email, no response 11/28/2022 - Outreach via Facebook Messenger 11/29/2022 - Directed to send details to contact@moneylover.me, receipt confirmed 12/06/2022 - Reached out to get a status, no response 01/05/2023 - Reached out to get a status, Response that they will get us a status ASAP 01/27/2023 - Checked the vulnerability again, silently fixed by the vendor 02/07/2023 - Advisory published References 1. https://web.moneylover.me/ About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.