A computer science student has scraped seven million Venmo transactions to prove that users’ public activity can still be easily obtained, a year after a privacy researcher downloaded hundreds of millions of Venmo transactions in a similar feat.
Venmo is a mobile payment service owned by PayPal and offers an app that allows users to share and make payments with friends for a variety of services from.
Over 7 million Venmo transactions scraped using public API https://t.co/h7bCRAxYvV
— Audrey Renée Bentley (@BentleyAudrey) June 17, 2019
Expert Comments:
Ilia Kolochenko, Founder and CEO at web security company ImmuniWeb:
“Transparency may often be used against the legitimate interests of end-users. Probably, very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings. Developer’s API should be provided only to vetoed, properly verified third-parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future. Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.