200 million transactions visible to all, inc. the inside dope on a cannabis seller's annual sales PayPal-owned digita
200 million transactions visible to all, inc. the inside dope on a cannabis seller’s annual sales
PayPal-owned digital wallet Venmo shares way too much data via its public API, according to Berlin-based researcher Hang Do Thi Duc.
If users accept the default setting on their account when they sign up, Do Thi Duc found that their transaction details are accessible via the service’s API, making it âincredibly easy to see what people are buying, who theyâre sending money to, and whyâ, she wrote.
The API is visible at Venmo here. It allowed Do Thi Duc to download more than 200 million transactions processed in 2017. The researcher said âI learned an alarming amountâ about users, their transactions, and what they were buying.
Including cannabis (thanks to records of a seller with more than 900 transactions last year), food, romantic gifts, pizzas, AirBNB rents â all carrying personal info far beyond what most Venmo users think is public.
PayPal probed over Venmo cash-flinging app
Venmo seems quite proud of the API’s power, since this link shows the most recent transaction, whatever it might be, from a user who hasn’t marked their settings as âprivateâ in the app.
âI think itâs problematic that there is a public feed which includes real names, their profile links (to access past transactions), possibly their Facebook IDs and essentially their network of friends they spend time with,â Do Thi Duc wrote.
Venmo told The Guardian âOur users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feedâ.
At the time of writing, the API links posted by Do Thi Duc are still active, however The Register notes some API references have been taken down.
As the screenshot below shows, Google has at some point indexed the URL for Venmo’s API documentation at https://venmo.com/api.
This now redirects back to the company’s home page. Â®