A security researcher who analyzed more than 200 million Venmo transactions said that she was able to learn ‘an alarming amount’ about the private lives of users thanks to a privacy weakness in the app.
Anyone can track a Venmo user’s purchase history and glean a detailed profile – including their drug deals, eating habits and arguments – because the payment app lacks default privacy protections …
The Guardian reports that the research was carried out by Berlin-based researcher, Hang Do Thi Duc.
By accessing the data through a public application programming interface, Do Thi Duc was able to see the names of every user who hadn’t changed their settings to private, along with the dates of every transaction and the message sent with the payment. This allowed her to explore the lives of unsuspecting Venmo users and learn “an alarming amount about them”.
The default state for transactions when a user signs up to the app is “public”, which means they can be seen by anyone on the internet. Users can change this to “private” by navigating to the app’s settings, but it’s not clearly highlighted during sign-up.
The researcher put together a website to highlight the problem, with five illustrative stories (with names redacted). This includes the transactions of a cannabis dealer, and a couple seemingly living a soap-opera relationship.
“Please leave me alone,” said the woman, who Do Thi Duc refers to as Susana.
“I just love you. I’m sad that you don’t understand,” replies the man.
In a later exchange, he says: “It’s pretty damn clear that you were using me all along. Took me a while to figure that out.” The next morning, he’s repentant. “I’m sorry. I take everything I said back.”
Venmo said that users can choose what to share, which is technically true, but it’s clear that many users don’t realize their transactions and accompanying messages are public by default.
A couple of years ago, another Venmo flaw allowed anyone to use Siri on a locked iPhone to empty your account.