PayPal's Venmo App Exposes Transactions via its API

According to Berlin-based researcher Hang Do Thi Duc, Venmo an e-wallet, owned by the payments company PayPal, is sharing too much of its data by its public API. The researcher found that the if the default settings on a user’s account are accepted during sign up, the details of any transactions are visible via the service’s API. This makes the data easily accessible and the user vulnerable because anyone can see what someone else is buying and who they are sending money to.

By going on the public API of Venmo, the researcher was able to download more than 200 million transactions done using the digital wallet in 2017. She said that the information was vast and she learnt an ‘alarming’ amount about each users transactions and payment history. She also learnt about what people were buying online including cannabis, food, romantic gifts, pizzas, AirBNB rents etc. This information was obviously more than what people think they are sharing when they buy something online.

Venmo seems quite proud of the what they are doing. They believe that their API is indeed powerful, since they are showing the most recent transaction, irrespective of the nature of such transaction, from a user who hasn't changed their settings to “private” in the app.

Venmo told The Guardian that the users were trusting them with their personal information like other social networks, they can choose what they choose to share on Venmo’s public feed. They said that they take full responsibility for the user’s money and data and take privacy laws seriously.

Read more at www.theregister.co.uk