NEW YORK—A computer science student has scraped seven-million Venmo transactions to prove that users’ public activity can still be easily obtained, a year after a privacy researcher downloaded hundreds of millions of Venmo transactions in a similar feat.
Dan Salmon said he scraped the transactions during a cumulative six months to raise awareness and warn users to set their Venmo payments to “private,” Tech Crunch reported.
The peer-to-peer mobile payments service faced criticism last year after Hang Do Thi Duc, a former Mozilla fellow, downloaded 207-million transactions. The scraping effort was possible because Venmo payments between users are public by default. The scrapable data inspired several new projects — including a bot that tweeted out every time someone bought drugs, Tech Crunch said.
Now, Salmon has shown little has changed in a year and that it’s still easy to download millions of transactions through Venmo’s developer API without obtaining user permission or needing the app.
‘Anyone Can Look’
“Using that data, anyone can look at an entire user’s public transaction history, who they shared money with, when, and in some cases for what reason — including illicit goods and substances,” Tech Crunch said.
“There’s truly no reason to have this API open to unauthenticated requests,” Salmon told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”