PayPal-owned digital wallet Venmo shares way too much data via its public API, according to Berlin-based researcher Hang Do Thi Duc.
If users accept the default setting on their account when they sign up, their transaction details are accessible via the service's API, making it “incredibly easy to see what people are buying, who they’re sending money to, and why”, Do Thi Duc wrote.
By default, Venmo shows your payments and your friends' payments to your other Venmo-using friends in the app – much like tweeting and posting pictures to Instagram is public by default.
The API is visible at Venmo here. It allowed Do Thi Duc to download more than 200 million transactions processed in 2017. The researcher said: “I learned an alarming amount” about users, their transactions, and what they were buying."
This includes cash for cannabis (thanks to records of a seller with more than 900 transactions last year), food, romantic gifts, pizzas, AirBNB rents, and so on – all carrying personal info far beyond what most Venmo users think is public.
PayPal probed over Venmo cash-flinging appREAD MORE
Venmo seems quite proud of the API's power, since this link shows the most recent transaction, whatever it might be, from a user who hasn't marked their settings as “private” in the app.
“I think it’s problematic that there is a public feed which includes real names, their profile links (to access past transactions), possibly their Facebook IDs and essentially their network of friends they spend time with,” Do Thi Duc wrote.
Venmo told The Guardian: “Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed”.
At the time of writing, the API links posted by Do Thi Duc are still active, however The Register notes some API references have been taken down.
As the screenshot below shows, Google has at some point indexed the URL for Venmo's API documentation at https://venmo.com/api.
This now redirects back to the company's home page. ®
PS: Someone's created a Twitter bot to show drug purchases via Venmo.