According to a recent report, a computer science student has scraped seven million transactions from the Venmo payment processing app, highlighting vulnerabilities in the service. Users of the popular payment system owned by PayPal can secure the privacy of their account by following several simple steps.
TechCrunch reports that a computer science student successfully scraped seven million Venmo transactions in an attempt to prove that the public activity of users could easily be grabbed from the site. The student, Dan Salmon, did this a year after a privacy researcher downloaded hundreds of millions of Venmo transactions, showing that the app has done nothing to fix this issue which its been aware of for over a year.
Salmon claimed that he scraped the data in an attempt to highlight the privacy issue that the app has failed to fix. The app faced similar criticism last year after Mozilla fellow Hang Do Thi Duc downloaded 207 million transactions from the app, which resulted in multiple projects being developed including the data. One of which posted a tweet every time someone used the app to buy drugs.
Salmon proved that a year on, using the app’s developer API allows the same sort of information to be accessed. “There’s truly no reason to have this API open to unauthenticated requests,” Salmon told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”
TechCrunch posted a screenshot that showed how users of the app can protect their privacy:
Venmo is owned by payment processor PayPal, which did not return a request for comment to TechCrunch.