Vulnerability Found in Venmo Public API Causing Massive Data Leak

  • A privacy advocate discovered a vulnerability in Paypal-owned Venmo app’s API which has led to a large number of transactions being leaked by the app.
  • The Venmo API has transaction records set to “Public” as default which allows anyone access to the API to see all ongoing transactions.
  • The app has leaked 207,984,218 transactions in 2017 alone, and researchers claim that the problem has existed since 2016 and was not patched.

PayPal is in the middle of a major data leak with its subsidiary Venmo publicizing data amounting to 207,984,218 transactions. Venmo made its API publicly accessible by default causing the US-only mobile payments platform to suffer from the massive leak. Security researchers had warned the app about the vulnerability back in 2016, but no steps were taken to secure the platform.

Users have been requested to set the Venmo app’s default settings to Private to avoid further public data access. The data that was leaked out includes the names of the senders and recipients, avatars of Venmo users, dates of transactions, transaction type, and optional comments. Privacy advocate Hang Do Thi Duc is not the first person to find out about the issue. Another advocate Dan Gorelick discovered the vulnerability in 2016, but the issue was not resolved until now.

All transactions until yesterday are still available for public access via the public API. A tutorial was made by Gorelick available for all Venmo users to secure their data. Recently Duc also made his own guide to visually indicate how to secure transaction data on the platform.

Duc revealed in her blog post “I used Venmo's public API to download all public transactions of 2017, pulling in a total of 207,984,218 transactions. By looking through users and their transactions, I learned an alarming amount about them.”

With security issues being more common than ever, PayPal happens to be just one of many big companies to be caught in a data breach. The Venmo data is exposed by the developers themselves, and it is likely that the company will be held accountable for the breach in the near future with GDPR guidelines in place.

What do you think about the recent data leak by the Paypal-owned payments app? Let us know in the comments below. Get instant updates on TechNadu’s Facebook page, or Twitter handle.



How to Watch Washington Wizards Games Online Without Cable

The Washington Wizards have been the surprise package of the NBA season so far, exciting fans all over the world with their...

How to Watch Philadelphia 76ers vs. Boston Celtics: Live Stream, Start Time, TV Channel, Odds, Predictions

The NBA regular season continues on Wednesday evening, with the Boston Celtics hosting the Philadelphia 76ers at the world-famous TD Garden in...

How to Watch Sacramento Kings vs. Los Angeles Clippers: Live Stream, Start Time, TV Channel, Odds, Predictions

The Los Angeles Clippers will be looking to return to winning ways as they battle it out against the Sacramento Kings in...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari