Primary

Context

Whisper Money Insecure Direct Object Reference Vulnerability Allowing Unauthorized Balance Updates

Vulnerability

A vulnerability allowing insecure direct object reference (IDOR) has been identified in Whisper Money, a personal finance application. This issue is present in versions prior to 0.1.5. The vulnerability allows users to update or create account balances in other users' bank accounts.

Impact

Exploitation of this vulnerability allows users to manipulate account balances in other users' bank accounts, potentially leading to unauthorized financial transactions or discrepancies.

Reproduction

The vulnerability can be reproduced by sending a request to the sync/balances endpoint with an account ID that belongs to a different user. This can be done by first creating an account for one user, then using that account ID to update or create a balance while authenticated as a different user.

Remediation

Users can update to Whisper Money version 0.1.5 or later, where this vulnerability has been patched.

Added: Jan 19, 2026, 9:23 PM

Updated: Jan 19, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.8

remediation

0.0

relevance

2.2

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.8

remediation

0.0

relevance

2.2

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Whisper Money Insecure Direct Object Reference Vulnerability Allowing Unauthorized Balance Updates

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating