The vast majority of Venmo transactions are being logged in a public API accessible to anyone, according to the recent investigation of a privacy advocate.
The reason this happens is that the Venmo app's default settings are set to "Public" for all users.
Unless users specifically change this value, all the transactions they make via the Venmo money-sending app are logged and made available to anyone via the Venmo public API.
Data exposed via this API includes the first and last name of the sender and recipient, Venmo avatars, the date of the transaction, a comment regarding the transaction, transaction types, and more.
Venmo API can be used to track people's livesHang Do Thi Duc, the privacy advocate who discovered this issue, says he used this privacy policy to query the Venmo API and download data on all of the company's 2017 public transactions —207,984,218, in total.
He also set up a website called "
Public by Default" where he lists a few cases of interconnected Venmo payments, creating profiles for some of the company's customers. For example, Duc tracked transactions related to a cannabis reseller, a corn dealer, a family, random couples, but also the story of a woman with 2,033 Venmo transactions.
Duc has also published
visual instructions on how Venmo users could change the privacy of their profile from Public to Private.
The Venmo API is available
here, while users can also access this
link to view the latest Venmo transaction recorded in the public API.
Problem known since 2016Venmo is a US-only mobile payments app launched in 2009. Braintree bought Venmo in 2012 for $26.2 million, while a year later PayPal bought Braintree for $800 million, and now Venmo is an official PayPal subsidiary.
Duc's work is not the first of its kind, as security researcher Dan Gorelick first warned of this issue back in
October 2016, publishing a tutorial on how someone could mine the Venmo API for sensitive information.
source
