- Mozilla and EFF are asking PayPal to consider changing their Venmo privacy-undermining settings.
- The app has been repeatedly exposed by researchers, as it’s API reveals many of its users’ transactions.
- PayPal could change the default setting very easily, but for reasons unknown, they aren’t doing it.
The Electronic Frontier Foundation and the Mozilla Foundation has sent an open letter to Venmo, urging them to finally plug the privacy holes that have been plaguing the app since last summer. They address the letter to the PayPal leadership, as Venmo belongs to PayPal since 2013, asking them to make all user transactions in Venmo private by default. Moreover, they advise the developers to implement more privacy-related settings and to offer ways for users to manage the visibility of their friend lists. The two organizations are worried that Venmo’s disregard for user privacy will be particularly damaging to the public if the company expands, which is set to do.
As we reported in July 2018, privacy advocate and Mozilla security researcher Hang Do Thi Duc discovered that the Venmo API was recording all user transactions to “Public” mode by default, so anyone who could access the API could see all of the ongoing transactions. The discovery sparked investigations which revealed that more than 200 million user transactions had been leaked in 2017 alone. As Venmo is a mobile payment application that allows users to transfer funds right from their mobile devices, the data that leaked was very sensitive.
Almost a year later, on June 2019, a computer science student named Dan Salmon proved that it is still possible to scrap millions of Venmo transactions through the API of the app. The reason for this is that Venmo did offer users the option of setting the transaction recording to “Private”, but the “Public” mode remained the default settings, and many users didn’t bother to change it. Two months after the media buzz that was created by this story, PayPal still hasn't changed the default recording setting to “Private”, so the majority of the user transactions remain accessible.
As Mozilla’s Ashley Boyd told Motherboard on the matter: “It’s astounding that despite the ubiquity of data breaches, and despite multiple researchers exposing Venmo’s flaws, the app still hasn’t made user transactions private by default. You can infer so much about someone from their Venmo feed: Who they’re dating, where they eat, what they pay in rent. That information simply shouldn’t be public without users explicitly deciding to make it so.”
If you are using Venmo, secure the privacy of your transactions by tapping on the “Settings” at the app’s menu, enter the “Privacy” section, tap on “Past Transactions” and then select “Change All to Private”. This will cover all past transactions, and secure those that will take place in the future.