Venmo Security Flaw Puts 200 Million Transactions in the Public Eye
A researcher from Berlin recently went through over 207 million public Venmo transactions from 2017. Her goal was to show flaws in Venmo’s default security settings by revealing just how much information was accessible to the public.
Hang Do Thi Duc created a website for her findings called Public by Default. The site takes you through her research process, including a public link from Venmo that shows the latest transaction on the app. Every time you refresh the page, you can see a new transaction, including the user’s first and last name as well as a link to their profile picture.
The public data displays the message attached to the transaction, along with the transaction type (payment or charge). We sifted through a handful of them and found that most were payments for food or refunds. Some of them were more specific though, like “cable bill 1/2 of 61.94.” Another said “Medssssss,” which could indicate a drug deal.
Do Thi Duc used the information readily available to dive into the lives of five unsuspecting users. She was able to learn “an alarming amount about them,” from where they live to the types of transactions they conducted, many of which were illegal. Some users had their Facebook profile picture connected to their Venmo accounts, making it easy to track them on social media.
By default, all Venmo transactions are public. Any person can view them, even if they do not have a Venmo account. Do Thi Duc encourages all users to change their settings to private, even if their transactions are harmless. “Once your information is public, it’s very difficult to get it back!”
Changing the privacy settings on Venmo is fairly simple. Go to the settings menu and click on Privacy. Select Private, and click on the area for “Past transactions.” Select Change All to Private to hide past transactions as well as future ones.