Like many people, I use Venmo to pay for stuff: to split the check at dinner, to send my roommate my portion of the utility bills each month, to reimburse friends for concert tickets. It’s a useful app for sending and receiving money, regardless of who you bank with.
WIRED OPINION
ABOUT
Dan Salmon is a masters graduate from Minnesota State University who specializes in information security.
Last summer, after paying my portion of the electric bill via Venmo, I started to wonder if there were holes I could poke in the app. I was a grad student studying information security at the time, and I thought I might make some extra cash. Venmo is owned by PayPal, which has a public bug bounty program—that is, it pays hackers to report security vulnerabilities in its products.
After proxying my phone traffic through my laptop, I watched the network traffic as I navigated through the app. I noticed that when you open the Venmo home page, you’re shown a live feed of transactions being made by strangers. I could see a public API endpoint that was returning the data for this feed, meaning that anyone could make a GET request (like a simple page load) to see the latest 20 transactions made on the app by anyone around the world. To my surprise, this endpoint was accessible even outside the app, with no authorization needed. After some experimenting, I found that I could make two requests for transaction data per minute, per IP address.
I wrote up a quick, 20-line Python script and started scraping the API from two different IPs. Even with a rate limit in place, which limits the speed at which a single IP can make requests, I could download 115,000 transactions per day. Every few weeks, if I had some free time, I’d start the scrape again, cleaning the data and feeding it into a MongoDB database.
Initially, had no concrete plans for the data; having taken a fair number of courses involving data analytics and visualization, I thought it might be interesting to figure out which emoji was most frequently used in the transaction note. (Oddly enough, it’s the 🏈). But last month, I revisited the data to see what else I could gather from it.
As I pored over the trove, I became concerned that I had been able to amass such a large collection of people’s financial activity so easily, even if it was for mostly innocuous activities like splitting the cost of a pizza.
Of course, most people using Venmo are aware that their transactions—typically represented with a short description or a series of emoji—are visible to anyone who searches their username. After all, one of Venmo’s selling points is that the app makes sending and receiving money easy and social. But that public data isn’t as innocuous as you might think.
I asked myself “If I were an attacker and I had a specific target in mind, what could I glean about that person from this data? Is it useful to me?” The answer is yes, there’s a fair amount of useful information here available for nefarious purposes.
First, I can see which app you’re using to do business on Venmo. Though there are some third-party integrations with sites like Splitwise, for the most part the app is listed as either “Venmo for Android” or “Venmo for iPhone.” This information can be useful for a number of attacks. For example, hackers might try to phish your Apple ID credentials if they know you’re using an iPhone.
Since Venmo facilitates the transfer of money, there’s also the possibility that the money is being exchanged for non-legal goods. A quick search for a few drug names and slang terms turns up hundreds of transactions. Though it’s possible that many of these were jokes—admittedly, my friends do this—if those descriptions were accurate, an attacker may be able to use such information for blackmail.
But the most likely cyberattack to be conducted using Venmo data is spearphishing—and the amount of specific information available via the app would make for a very convincing phish. An attacker could easily find a list of the people that their target most frequently interacts with, as well as that person’s common spending habits. For example, if Andy frequently interacts with Shannon to pay for concert tickets, an attacker could craft a highly believable phishing message for Andy that looks like Shannon is sharing information about a concert with him and that he should log in to his Ticketmaster account to view it.
Unsurprisingly, I’m not the first to expose the potential for using Venmo data to carry out hacks. In fact, several engineers who examined Venmo’s API before me were able to dump much more data, much faster than I did, which suggests some infrastructure changes have been made by Venmo.
Despite minor improvements, Venmo’s public API endpoint still provides a bounty for bad actors. The good news? You can protect yourself by changing your privacy settings to private—and marking all your past transactions as private, as well. It’s up to users to decide what’s worth more: their privacy, or their digital sociability. As has recently become painfully clear, if you’re not paying for the product, you are the product.
WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here. Submit an op-ed at opinion@wired.com