MOBILE PAYMENTS APP Venmo has been accused of spilling the details of millions of users via an open API that anyone can tap.
As a result, users’ personal details are open for everyone to view, unless they make them private. Many, though, would appear not to realise that something as sensitive as a payments app would spill such details by default.
The privacy hole was discovered by Mozilla media fellow Hang Do Thi Duc, who was also responsible for coding Data Selfie, a browser extension that shows users what Facebook knows about you.
“Since all Venmo activity is public by default, it’s incredibly easy to see what people are buying, who they’re sending money to, and why,” wrote Do Thi Duc in a blog post.
“I used Venmo’s public API to download all public transactions of 2017, pulling in a total of 207,984,218 transactions. By looking through users and their transactions, I learned an alarming amount about them,” she continued.
These Venmo user stories included a cannabis dealer in Santa Barbara, California; a food cart operative, also in California; and various individuals who publicly revealed, according to the stories told in the Venmo API, a lot more about their lives to the world than they might have expected of a payments app.
The data revealed by the Venmo API includes first and last names, profile pictures, the times of transactions and with whom, and messages attached to those transactions.
“One would think that when it comes to money, privacy by design is of greater importance and higher demand,” wrote Do Thi Duc, but the fact that Venmo doesn’t even appear to have considered the consequences of allowing so much information to be shared, by default, is “problematic”.
In some cases, Facebook IDs and networks of acquaintances have been revealed by the Venmo API.
Source : Inquirer