Yesterday I became full Monzo and wanted to make sure my money was safe
I tried to do a MITM attack to the Monzo app and everything looked pretty secured with ssl pinning so my attempts to use a custom SSL certificate were in vain, but I noticed a 404 error using SSL to the url :
https://internal-api.monzo.com/user-images/profile_picture/
This endpoint does not seem to have SSL pinning and exposes the bearer token in the headers.
We then can use this token using the public Monzo api in a few ways:
I have not tried more but could be other usable endpoints
I managed to use the endpoint https://api.monzo.com/accounts
and https://api.monzo.com/balance
.
To get my account details and balances using the stolen token from the app.
The data includes:
{"accounts": [{"id": "acc_XXXX","closed": false,"created": "2018-11-18T16:16:28.449Z","description": "user_XXXXXX","owners": [{"user_id": "user_XXXXXX","preferred_name": "REDACTED","preferred_first_name": "REDACTED"}],"account_number": "XXXXX","sort_code": "040004",...}]}
This could be used as a phishing vector and redirect to an attacker website Using the endpoint
https://api.monzo.com/feed
You can post notifications impersonating the Monzo app
I was able to setup a hook using https://api.monzo.com/webhooks
and received data from my account. Example:
{"type": "transaction.created","data": {"id": "tx_XXXXXXX","created": "2019-11-30T15:54:26.343Z","description": "NAME REDACTED","amount": -1,"fees": {},"currency": "GBP","merchant": null,"notes": "Test","metadata": {"notes": "Test","p2p_initiator": "p2p","p2p_transfer_id": "XXXXXXXX"},"labels": null,"account_balance": 0,"attachments": null,"international": null,"category": "general","is_load": false,"settled": "2019-11-30T15:54:26.343Z","local_amount": -1,"local_currency": "GBP","updated": "2019-11-30T15:54:26.539Z","account_id": "acc_XXXXXXX","user_id": "user_XXXXXXXXX","counterparty": {"account_id": "acc_XXXXXX","name": "REDACTED","preferred_name": "REDACTED","user_id": "user_XXXXXXXX"},"scheme": "p2p_payment","dedupe_id": "p2p-XXXXXXXXXX","originator": true,"include_in_spending": true,"can_be_excluded_from_breakdown": true,"can_be_made_subscription": false,"can_split_the_bill": false,"can_add_to_tab": false,"amount_is_pending": false}}
Contacted support on Twitter
Asked to forward the details by email. Told it was going to be look at during business hours and it had been escalated.
Got a extensive replay from the security team acknowledging the ssl pinning issue and got a reward for 200GBP