A year after being called out for a feature that exposed customers’ transactions, Venmo continues to leak hundreds of millions of transactions.
Independent researcher Dan Salmon was able to scrape together millions of Venmo transactions over the course of six months and warned users to set their payments to private after privacy researchers warned the company that users’ public activity can still be easily obtained in a similar demonstration.
OneSpan Senior Product Marketing Manager Sam Bakken pointed out the feature is intentional and not some sort of flaw or vulnerability.
“Venmo purposely designed this functionality into their app in an effort to increase user engagement – it isn’t exactly a security vulnerability,” Bakken said. “Last summer, a spokesperson said some users enjoy opening up the app to see what friends, families or strangers are purchasing via Venmo.”
Last year after former Mozilla fellow Hang Do Thi Duc downloaded 207 million transactions to demonstrate how Venmo payments between users are public by default. Little has changed since the initial exposure of the feature and it is still easy for anyone to download the transaction data without obtaining user permission or even needing to use the application.
Bakken added that he’d argue Venmo should default to keeping users’ transactions private, and said that if the incident doesn’t convince Venmo to change their policy, he hopes more people will at least become aware of this and consider changing their settings.
In addition, Bakken said that he feels Venmo should require explicit permission to share any data publicly and that threat actors could potentially use this information against users.
Ilia Kolochenko, founder and CEO of ImmuniWeb, said that this sort of transparency may often be used against the legitimate interests of end-users.
“Probably, very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide,” Kolochenko said. “Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings.”
Kolochenko added that developer’s API should be provided only to vetoed, properly verified third-parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future.
In addition he a that anti-scraping functionality should be implemented and frequently tested.
ProPrivacy.com data privacy advocate Ray Walsh said that Venmo’s lack of action towards this ongoing security issue is “concerning, especially considering that it was previously found to be violating consumer privacy rights and was fined by the FTC.”
“The continued ability to access transaction data without the need for any authorization is unnecessary and demonstrates that the firm is still not doing enough to shore up the transaction data contained in its systems,” Walsh said.
Walsh added that even after these latest revelations, it seems the payment service is opting to make data harder to scrape rather than fixing the underlying privacy issues. It really isn’t good enough and it is putting consumers at risk.
SC Media attempted to reach Venmo for comment but they have yet to respond.