Tracking Monzo users

Yesterday I became full Monzo and wanted to make sure my money was safe

I tried to do a MITM attack to the Monzo app and everything looked pretty secured with ssl pinning so my attempts to use a custom SSL certificate were in vain, but I noticed a 404 error using SSL to the url :

https://internal-api.monzo.com/user-images/profile_picture/

This endpoint does not seem to have SSL pinning and exposes the bearer token in the headers.

We then can use this token using the public Monzo api in a few ways:

  • Get account details
  • Get balances
  • Show Monzo app notifications
  • Setup web hooks

    I have not tried more but could be other usable endpoints


Getting accounts details and balances

I managed to use the endpoint https://api.monzo.com/accounts and https://api.monzo.com/balance. To get my account details and balances using the stolen token from the app. The data includes:

  • Full name
  • Account number
  • Creation date
  • Account balance and pots balances
{
"accounts": [
{
"id": "acc_XXXX",
"closed": false,
"created": "2018-11-18T16:16:28.449Z",
"description": "user_XXXXXX",
"owners": [
{
"user_id": "user_XXXXXX",
"preferred_name": "REDACTED",
"preferred_first_name": "REDACTED"
}
],
"account_number": "XXXXX",
"sort_code": "040004",
...
}
]
}

Creating custom notifications in the Monzo app

This could be used as a phishing vector and redirect to an attacker website Using the endpoint https://api.monzo.com/feed You can post notifications impersonating the Monzo app

## Tracking user transactions using web hooks You cannot get a list of transactions from the endpoint `https://api.monzo.com/transactions` and are given an access denied. But you can set up a web hook and will give you access to realtime data from that user without them having any way to know.

I was able to setup a hook using https://api.monzo.com/webhooks and received data from my account. Example:

{
"type": "transaction.created",
"data": {
"id": "tx_XXXXXXX",
"created": "2019-11-30T15:54:26.343Z",
"description": "NAME REDACTED",
"amount": -1,
"fees": {},
"currency": "GBP",
"merchant": null,
"notes": "Test",
"metadata": {
"notes": "Test",
"p2p_initiator": "p2p",
"p2p_transfer_id": "XXXXXXXX"
},
"labels": null,
"account_balance": 0,
"attachments": null,
"international": null,
"category": "general",
"is_load": false,
"settled": "2019-11-30T15:54:26.343Z",
"local_amount": -1,
"local_currency": "GBP",
"updated": "2019-11-30T15:54:26.539Z",
"account_id": "acc_XXXXXXX",
"user_id": "user_XXXXXXXXX",
"counterparty": {
"account_id": "acc_XXXXXX",
"name": "REDACTED",
"preferred_name": "REDACTED",
"user_id": "user_XXXXXXXX"
},
"scheme": "p2p_payment",
"dedupe_id": "p2p-XXXXXXXXXX",
"originator": true,
"include_in_spending": true,
"can_be_excluded_from_breakdown": true,
"can_be_made_subscription": false,
"can_split_the_bill": false,
"can_add_to_tab": false,
"amount_is_pending": false
}
}

Vulnerability report timeline

  • 30/11/19 16:37PM

Contacted support on Twitter

  • 30/11/19 17:08PM

Asked to forward the details by email. Told it was going to be look at during business hours and it had been escalated.

  • 02/12/19

Got a extensive replay from the security team acknowledging the ssl pinning issue and got a reward for 200GBP