A computer science student has revealed the details of seven million transactions made on personal payment app, Venmo.
Student, Dan Salmon, said he scraped the transactions over a six-month period to raise awareness of Venmo payments being public by default, publishing the scraped data on his GitHub page.
This comes a year after Hang Do Thi Duc, a former Mozilla fellow, downloaded 207 million transactions. This widespread news of Venmo’s scrapable data inspired numerous projects – including a bot that tweeted out every time someone bought drugs.
Despite this widespread coverage, Venmo is still making it easy to download millions of transactions through the company’s developer API without obtaining user permission or even needing the application itself.
Using the publicly available data, anyone can look at an entire user’s transaction history, who they sent/received money to/from, and also what the transactions were tagged with – publicly exposing even greater levels of personal data and information.
Salmon told the TechCrunch website: “There’s truly no reason to have this API open to unauthenticated requests. The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”
Further concerns were raised by Do Thi Duc, over a female user who had made 965 transactions for soft drinks, alcoholic drinks, fast food and sweets over an eight month period. Do Thi Duc told The Guardian newspaper: “She’s really enjoying unhealthy drinks and food. I could imagine insurance companies might want to look at her data and make judgements about her health.”
A Venmo spokeswoman has publicly stated that the “safety and privacy” of its users is “one of our highest priorities. Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed.”