Users of the Paypal-owned digital wallet payment system Venmo are being pushed to change their account information after a researcher was able to access the details of up to seven-million transactions- and then published them online to GitHub.
Dan Salmon, a computer science student at Minnesota State University amassed the gargantuan dataset over a six-month period, as reported by The Next Web.
“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key,” he wrote on GitHub, warning users of Venmo’s services to change all their privacy details, and delete any existing transaction history.
“I would highly encourage all users to switch their Venmo account to private,” Salmon said, “by going to settings > privacy and selecting ‘Private’ as well as Past Transactions > Change All to Private,” he continued to explain to users concerned about their data.
Venmo has more than 40-million active monthly users, and, according to TNW, “makes transaction details public by default.”
“This includes usernames, full names, profile pictures, recipient information, and more. It, however, provides you with an option to change the privacy setting for each payment individually.”
According to The Next Web, “the development comes more than a year after a similar finding by Hang Do Thi Duc, a former Mozilla fellow, unearthed more than 200 million Venmo public transactions.”
A report from Info Security quoted Ilia Kolochenko, founder and CEO of information security company, ImmuniWeb, who said that “transparency may often be used against the legitimate interests of the end users.”
“Probably very few of us with to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings,” Kolochenko said.
“Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection, but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue.”