[BreachExchange] PayPal's pal Venmo spaffs your pals' payments – and yours

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 18 19:10:23 EDT 2018 

https://www.theregister.co.uk/2018/07/18/venmo_spaffs_
transactions_to_worlddog/


PayPal-owned digital wallet Venmo shares way too much data via its public
API, according to Berlin-based researcher Hang Do Thi Duc.

If users accept the default setting on their account when they sign up, Do
Thi Duc found that their transaction details are accessible via the
service's API, making it “incredibly easy to see what people are buying,
who they’re sending money to, and why”, she wrote.

The API is visible at Venmo here. It allowed Do Thi Duc to download more
than 200 million transactions processed in 2017. The researcher said “I
learned an alarming amount” about users, their transactions, and what they
were buying.

Including cannabis (thanks to records of a seller with more than 900
transactions last year), food, romantic gifts, pizzas, AirBNB rents – all
carrying personal info far beyond what most Venmo users think is public.

Venmo seems quite proud of the API's power, since this link shows the most
recent transaction, whatever it might be, from a user who hasn't marked
their settings as “private” in the app.

“I think it’s problematic that there is a public feed which includes real
names, their profile links (to access past transactions), possibly their
Facebook IDs and essentially their network of friends they spend time
with,” Do Thi Duc wrote.

Venmo told The Guardian “Our users trust us with their money and personal
information, and we take this responsibility and applicable privacy laws
very seriously. Like on other social networks, Venmo users can choose what
they want to share on the Venmo public feed”.

At the time of writing, the API links posted by Do Thi Duc are still
active, however The Register notes some API references have been taken down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180718/83bcc9e7/attachment.html>

More information about the BreachExchange mailing list