Millions of Venmo Transactions Scraped Without User Knowledge

The payment app Venmo - which is owned by PayPal - believes that the social aspect of their app is a feature that users loves. Because the app has all transactions set to "public" by default, users can peep in on their friends and acquaintances to see that Ashley is paying Brendan for ramen the other night or Sarah pays a lot in rent. They even encourage users to decorate their bills and payments with cute emojis, which makes the Venmo feed look more like a sociable chat app than a financial institution.

However, that open-by-default aspect of Venmo's app may put users' privacy at risk, even outside the app. That fact was sharply illustrated when a computer science student named Dan Salmon scraped about seven million transactions that took place over a six month period.

TechCrunch reports that Salmon used the Venmo API to scrape approximately 57,600 transactions per day, which is equivalent to about 40 per minute. He was able to do so without getting user permission or even using the app himself.

"There's truly no reason to have this API open to unauthenticated requests," Salmon told TechCrunch. "The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that's your goal then you should require a token with each request to verify that the user is logged in."

Salmon undertook this scraping task not to sell Venmo user data or for a malicious purpose. In fact, he did it to highlight the reality that Venmo's security is still lacking, despite promises made by the company last year. That was following another data scrape, during which a former Mozilla fellow name Hang Do Thi Duc downloaded nearly 3 million transactions.

In response, the company made a few artificial changes - including removing a warning when people chose to go private by default, changing their privacy guide, and making it more difficult to scrape their data - but they didn't truly address the underlying privacy issues inherent to their app. And while Salmon's data collection was undeniably slower than the previous scrape, he still was able to gather information on 40 transactions per minute.

"I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key," Salmon said on Github. "There is some very valuable data here for any attacker conducting OSINT research."

As it appears that the company won't be taking steps to protect user privacy any time soon, it's up to users themselves to be proactive if they want their transactions to remain private. The best way to do so is to go to Settings > Privacy and select "Private," as well as Past Transactions > Change All to Private. If you're not sure how, Salmon has generously provided screenshots here.

Share this post

About Tenta

Tenta is a next generation browser designed for privacy and security. Built-in true VPN, full data encryption, video downloader, secure medai vault, HTTPS Everywhere, Tenta DNS, and more.

View all posts by Tenta >

Install Tenta Browser Free!

Start protecting your online privacy today with Tenta Browser.

Download Tenta Browser Google Play Button