Venmo is yet again in the news for all the wrong reasons. Last year, the company faced severe public criticism over loopholes in its privacy settings when a privacy researcher was able to download innumerable company transactions. This year too, a computer science student attempted a similar act by scraping nearly 7 million Venmo transactions.
The act is believed to be intended toward making Venmo’s thousands of users understand that public activity over the company’s platform is not secure and can be easily accessed by anyone.
The student named Dan Salmon has admitted to downloading the transactions over a 6-month time frame with the intention to generate awareness among the company’s users. He also said that this activity should be taken as a warning by numerous Venmo users across the world to set their payments to private henceforth.
The payments made over Venmo peer-to-peer mobile payments service are set to public by default. This is what has made scraping possible in the last two feats. Last year, a formed Mozilla fellow by the name of Hang Do Thi Duc had successfully downloaded a whopping 207 million user transactions from the company’s database.
Now even after a year, Salmon’s act has brought to light that Venmo has hardly done anything to make its developer API secure for its users. Information on numerous transactions between users can still be easily obtained without the need for user permission or even without downloading the app.
Repercussions on Venmo Users
Salmon says that the data scraped can be used by anyone to get a glimpse into a particular user’s entire history of public transaction records saved so far. This means that one can know who has shared money with whom, when and even why, in certain cases, meaning for illegal reasons.
“There’s truly no reason to have this API open to unauthenticated requests”, according to Salmon’s quote to TechCrunch. He added, “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”