This article is more than 1 year old

PayPal's pal Venmo spaffs your pals' payments – and yours

200 million transactions visible to all, inc. the inside dope on a cannabis seller's annual sales

PayPal-owned digital wallet Venmo shares way too much data via its public API, according to Berlin-based researcher Hang Do Thi Duc.

If users accept the default setting on their account when they sign up, their transaction details are accessible via the service's API, making it “incredibly easy to see what people are buying, who they’re sending money to, and why”, Do Thi Duc wrote.

By default, Venmo shows your payments and your friends' payments to your other Venmo-using friends in the app – much like tweeting and posting pictures to Instagram is public by default.

The API is visible at Venmo here. It allowed Do Thi Duc to download more than 200 million transactions processed in 2017. The researcher said: “I learned an alarming amount” about users, their transactions, and what they were buying."

This includes cash for cannabis (thanks to records of a seller with more than 900 transactions last year), food, romantic gifts, pizzas, AirBNB rents, and so on – all carrying personal info far beyond what most Venmo users think is public.

Venmo on phone

PayPal probed over Venmo cash-flinging app

READ MORE

Venmo seems quite proud of the API's power, since this link shows the most recent transaction, whatever it might be, from a user who hasn't marked their settings as “private” in the app.

“I think it’s problematic that there is a public feed which includes real names, their profile links (to access past transactions), possibly their Facebook IDs and essentially their network of friends they spend time with,” Do Thi Duc wrote.

Venmo told The Guardian: “Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed”.

At the time of writing, the API links posted by Do Thi Duc are still active, however The Register notes some API references have been taken down.

As the screenshot below shows, Google has at some point indexed the URL for Venmo's API documentation at https://venmo.com/api.

Venmo Googled screenshot

Click to enlarge

This now redirects back to the company's home page. ®

PS: Someone's created a Twitter bot to show drug purchases via Venmo.

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like