Remember the outrage last year when a researcher discovered that for Venmo’s 40 million users, all transactions are “public” by default and broadcast on Venmo’s API?
More than a year later, computer science student Dan Salmon has demonstrated that it’s still incredibly easy to download millions of transactions through Venmo’s developer API without obtaining user permissions (without even using the Venmo app).
He proved this by downloading 7 million of them,” TechCrunch reports:
Dan Salmon said he scraped the transactions during a cumulative six months to raise awareness and warn users to set their Venmo payments to private… Using that data, anyone can look at an entire user’s public transaction history, who they shared money with, when, and in some cases for what reason — including illicit goods and substances.
“There’s truly no reason to have this API open to unauthenticated requests,” he told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”
He published the scraped data on his GitHub page.