- A privacy advocate discovered a vulnerability in Paypal-owned Venmo app’s API which has led to a large number of transactions being leaked by the app.
- The Venmo API has transaction records set to “Public” as default which allows anyone access to the API to see all ongoing transactions.
- The app has leaked 207,984,218 transactions in 2017 alone, and researchers claim that the problem has existed since 2016 and was not patched.
PayPal is in the middle of a major data leak with its subsidiary Venmo publicizing data amounting to 207,984,218 transactions. Venmo made its API publicly accessible by default causing the US-only mobile payments platform to suffer from the massive leak. Security researchers had warned the app about the vulnerability back in 2016, but no steps were taken to secure the platform.
Users have been requested to set the Venmo app’s default settings to Private to avoid further public data access. The data that was leaked out includes the names of the senders and recipients, avatars of Venmo users, dates of transactions, transaction type, and optional comments. Privacy advocate Hang Do Thi Duc is not the first person to find out about the issue. Another advocate Dan Gorelick discovered the vulnerability in 2016, but the issue was not resolved until now.
All transactions until yesterday are still available for public access via the public API. A tutorial was made by Gorelick available for all Venmo users to secure their data. Recently Duc also made his own guide to visually indicate how to secure transaction data on the platform.
Duc revealed in her blog post “I used Venmo's public API to download all public transactions of 2017, pulling in a total of 207,984,218 transactions. By looking through users and their transactions, I learned an alarming amount about them.”
With security issues being more common than ever, PayPal happens to be just one of many big companies to be caught in a data breach. The Venmo data is exposed by the developers themselves, and it is likely that the company will be held accountable for the breach in the near future with GDPR guidelines in place.