Back

Tracking Monzo users

Yesterday I became full Monzo and wanted to make sure my money was safe

I tried to do a MITM attack to the Monzo app and everything looked pretty secured with ssl pinning so my attempts to use a custom SSL certificate were in vain, but I noticed a 404 error using SSL to the url :

https://internal-api.monzo.com/user-images/profile_picture/

This endpoint does not seem to have SSL pinning and exposes the bearer token in the headers.

We then can use this token using the public Monzo api in a few ways:

  • Get account details
  • Get balances
  • Show Monzo app notifications
  • Setup web hooks

    I have not tried more but could be other usable endpoints

Getting accounts details and balances

I managed to use the endpoint https://api.monzo.com/accounts and https://api.monzo.com/balance. To get my account details and balances using the stolen token from the app. The data includes:

  • Full name
  • Account number
  • Creation date
  • Account balance and pots balances
{
    "accounts": [
        {
            "id": "acc_XXXX",
            "closed": false,
            "created": "2018-11-18T16:16:28.449Z",
            "description": "user_XXXXXX",
            "owners": [
                {
                    "user_id": "user_XXXXXX",
                    "preferred_name": "REDACTED",
                    "preferred_first_name": "REDACTED"
                }
            ],
            "account_number": "XXXXX",
            "sort_code": "040004",
            ...
        }
    ]
}

Creating custom notifications in the Monzo app

This could be used as a phishing vector and redirect to an attacker website Using the endpoint https://api.monzo.com/feed You can post notifications impersonating the Monzo app

## Tracking user transactions using web hooks You cannot get a list of transactions from the endpoint `https://api.monzo.com/transactions` and are given an access denied. But you can set up a web hook and will give you access to realtime data from that user without them having any way to know.

I was able to setup a hook using https://api.monzo.com/webhooks and received data from my account. Example:

{
    "type": "transaction.created",
    "data": {
        "id": "tx_XXXXXXX",
        "created": "2019-11-30T15:54:26.343Z",
        "description": "NAME REDACTED",
        "amount": -1,
        "fees": {},
        "currency": "GBP",
        "merchant": null,
        "notes": "Test",
        "metadata": {
            "notes": "Test",
            "p2p_initiator": "p2p",
            "p2p_transfer_id": "XXXXXXXX"
        },
        "labels": null,
        "account_balance": 0,
        "attachments": null,
        "international": null,
        "category": "general",
        "is_load": false,
        "settled": "2019-11-30T15:54:26.343Z",
        "local_amount": -1,
        "local_currency": "GBP",
        "updated": "2019-11-30T15:54:26.539Z",
        "account_id": "acc_XXXXXXX",
        "user_id": "user_XXXXXXXXX",
        "counterparty": {
            "account_id": "acc_XXXXXX",
            "name": "REDACTED",
            "preferred_name": "REDACTED",
            "user_id": "user_XXXXXXXX"
        },
        "scheme": "p2p_payment",
        "dedupe_id": "p2p-XXXXXXXXXX",
        "originator": true,
        "include_in_spending": true,
        "can_be_excluded_from_breakdown": true,
        "can_be_made_subscription": false,
        "can_split_the_bill": false,
        "can_add_to_tab": false,
        "amount_is_pending": false
    }
}

Vulnerability report timeline

  • 30/11/19 16:37PM

Contacted support on Twitter

  • 30/11/19 17:08PM

Asked to forward the details by email. Told it was going to be look at during business hours and it had been escalated.

  • 02/12/19

Got a extensive replay from the security team acknowledging the ssl pinning issue and got a reward for 200GBP