Venmo is a mobile app that allows friends to exchange payments between one another in a simplified way. But a security researcher found a way to execute that action for a victim without ever unlocking a compromised device. An attacker could potentially brute force a charge payment from a victim using a 6-digit code to a SMS message sent to his phone. The developers of the app decided to kill the “reply-to-pay”” functionality in June
Source: