If you’ve ever used Venmo, you know that the app defaults to showing your transactions publicly. That means everyone knows when you’ve sent a friend $5 for pizza or an Uber ride home. What users don’t know is that anyone can make their transactions private.
Last year, former Mozilla fellow Hang Do Thi Duc published “Public By Default,” a compilation of 207 million Venmo transactions.
Now, another person has gathered millions of people’s Venmo transactions to prove that — a year later — nothing on the app has changed. Computer science student, Dan Salmon scraped seven million transactions during six months, TechCrunch reported.
Salmon downloaded transactions through the company’s developer API. He didn’t need users’ permission or even the app to do so.
“There’s truly no reason to have this API open to unauthenticated requests,” Salmon told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”
Both projects were meant to show that not only are people’s Venmo transactions easy to obtain, but they can tell you a lot about somebody. You can learn the names of people’s family, friends, what they spend their money on, and more.
Venmo hasn’t done much to improve its privacy. Last year, PayPal — Venmo’s owner — settled with the Federal Trade Commission over charges that, “Venmo misled consumers about the extent to which they could control the privacy of their transactions.”
If you’re a Venmo user, this is a reminder to change your settings in the app. It’s better to exercise some caution than none at all.