Venmo, the mobile payment app owned by PayPal, has its APIs set to public by default and is exposing users' data, including their transaction details.
Venmo, the mobile payment app owned by PayPal, has its APIs set to public by default and is exposing users’ data, including their transaction details. What is the purpose of having public APIs? What are the other risks beyond the info being public?
Venmo is a service of PayPal Inc. that enables users to send or receive money. The Venmo website states that “personal and financial data is encrypted and protected on our secure servers to guard against unauthorized transactions,” which is how it should be. But, oddly, all Venmo transactions are public by default, even to those who don’t use the app.
For example, data of the latest transactions on Venmo include the user’s name, the name of the person the transaction was with and any message sent between them, including transaction details. The site 22.8miles, backed by the Public By Default project, downloaded all the public transactions from 2017 — nearly 208 million in total — using the public Venmo API. The information gleaned about Venmo users from this data provided detailed insights into their personal lives.
The Venmo API is not documented, but it is fairly straightforward to figure out how it works. Because the facts and figures disclosed on the Public By Default site have received a lot of attention, Venmo has changed the rate limit, so bulk access to the Venmo API is not possible anymore. However, enough data that would enable hackers to craft believable phishing emails, stalkers to track or blackmail their victims, or companies to target users with ad campaigns can still be collected.
Aggregated data from Venmo can provide useful statistics about modern society; for example, rent transactions peak on the first of month, but millennials seem to pay rent to their roommates all the time. However, the fact that it is possible to discover that a married couple in California shops for groceries weekly at Walmart and is paying off a loan is a problem — and one that Venmo’s approximately 7 million active monthly users are probably not fully aware of.
There are thousands of publicly available APIs and there are plenty beyond those provided by the major social media sites. The United States Census Bureau, for example, provides APIs to its publicly available data sets allowing research into the social, economic, demographic and housing characteristics of the U.S. population, while the European APIs provide access to data collections drawn from the major museums and galleries across Europe.
Allowing researchers or commercial companies access to large data sets can lead to scientific breakthroughs, or new products and services from which we all benefit. However, when personally identifiable data is involved, users must knowingly give their consent for it to be used and it should be anonymized when it is accessible via a public API. The Venmo website does not make it clear to users the extent to which their transactions are public unless they change the default settings for the app.
Any organization that provides public APIs needs to ensure that they cannot be abused in order to access data not intended to be publicly available or expose personal information that could potentially identify a specific individual.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)