Venmo’s Public Transactions Policy Stirs Privacy Concerns | Threatpost

Your simple $5 Venmo payment to a friend after splitting a pizza could easily expedite various malicious attacks, from stalking to spear-phishing, according to researcher concerns.

Many have weighed in on Venmo’s privacy practices, but the latest are Mozilla Foundation and the Electronic Frontier Foundation (EFF), which on Thursday blasted popular mobile transaction app for its data-privacy policies. The companies specifically pointed out the lack of privacy around Venmo transactions, which are public by default, and around public lists of users’ friends that they can interact with on the app, for which there is not even an option to hide.

Venmo, a mobile payment service owned by PayPal, is an app that enables friends on the app to pay or request payments from one another. The app’s popularity is not to be understated, with 40 million active users in 2019, and $12 billion in transactions on the platform in the first quarter of 2018.

In a Thursday joint public letter the Mozilla Foundation and EFF penned their concerns. “We are writing to express our deep concern about Venmo’s disregard for the importance of user privacy, and to call on Venmo to make two critical changes to its privacy settings: Make transactions private by default, and give users privacy settings for their friend lists,” the organizations said in their letter.

The plea to Venmo comes after the app’s privacy policies have been criticized by several researchers, who showed how they could scrape millions of Venmo payments – even if they don’t use the app.  That’s because Venmo utilizes a public API endpoint to return the data for its transaction feed –  meaning that anyone, even those not using the app, could make a GET request to see anyone else’s transactions.

Publicly-available transactions reveal a user’s username, photo, friend list, and details who they are sending money to, as well as a comment section where users can use keywords or emojis to write a short message (usually about the transaction).

Click to Expand

While that data may seem innocuous and doesn’t reveal specifics around financial or contact data, last year former Mozilla Fellow Hang Do Thi Duc revealed how 207,984,218 transactions, publicly available and easily scraped,  detailed how Venmo users’ drug habits, junk food or alcoholic vices, and even fights with significant others are available for all to see.

For instance, he was able to track a Venmo user selling pot in Santa Barbara, CA. The transactions between this user and his customers – which totaled 920 incoming payments in 2017 – were captioned with emojis and mentions of “weed,” “grass,” medicine,” “CBD” and “stacked kush (see image to left).”

The implications of such public data came to a head in July 2018 when a programmer scraped data of Venmo users and created a bot called “Who’s buying drugs on Venmo,” which tweeted out the usernames and photos of Venmo users who made transactions using a drug keyword or emoji.

In a more recent breakdown of Venmo’s privacy policies earlier this year, researcher Dan Salmon outlined how the public transactions allow potential cybercriminals to access data useful for phishing attacks, such as whether users are utilizing iPhone or Android.

In one particularly concerning attack method, according to Salmon, a bad actor could easily see who Venmo users interact with, since their friend lists – and those who they send transactions to – are public. This could open the door for spear-phishing, where the attacker purports to be sending a message from the victims’ friend.

“For example, if Andy frequently interacts with Shannon to pay for concert tickets, an attacker could craft a highly believable phishing message for Andy that looks like Shannon is sharing information about a concert with him and that he should log in to his Ticketmaster account to view it,” said Salmon.

Also this week, Mozilla delivered a petition signed by more than 25,000 Americans to the app’s New York headquarters, urging them to make transactions private by default.

Venmo, for its part, told CNET in July that making the transactions public by default are part of its social strategy, saying “it’s fun to share [information] with friends in the social world.” The company did not immediately respond to a request for comment from Threatpost.

Moving forward, the Mozilla Foundation and EFF urged Venmo to make “pro-privacy” choices on its app, stressing that the failure to do so opens its users up to stalking, snooping and hacking.

“The list of people with whom you exchange money paints a startlingly clear picture of the people who live, date and do business with you,” they said. “Just as Venmo has given users newsfeed privacy settings, it must give them, at a minimum, equivalent friend list privacy settings.”