Dan Salmon, a computer science student, has managed to scrape seven million transactions on Venmo, proving that users’ public activity can be easily obtained. While Salmon initially scraped the data a year ago, recently, he scraped it once again and seemed to have obtained the data just as easily, indicating that Venmo hasn’t fixed anything so far.
Last year, Venmo faced severe criticism after a former Mozilla fellow managed to download more than 200 million transactions. One of the main reasons why such feats are possible is the fact that Venmo has chosen to keep transactions ‘public’ by default.
Salmon said that he previously scraped the transactions for a cumulative six months to raise awareness among Venmo users and urge them to set their payments to private. However, things didn’t seem to change when Salmon, a year after his first attempt to download user data, could once again successfully download millions of transactions through the company’s developer API.
With the scraped data, it is possible to intercept a user’s public transaction history, find out for what purpose they shared money, and more, making it a serious privacy threat. Nevertheless, Venmo hasn’t done anything to change the system yet.
It was later found that Venmo started trying to make obtaining user data more difficult instead of fixing the underlying privacy issues. For instance, in 2016 it was much easier to scrape data in bulk at high speeds. After internet researchers have made the fact that obtaining user data through scrapping was possible, Venmo placed limits on the amount of data that can be downloaded.
Regardless of the fixes, Salmon could still scrape nearly 57,600 transactions per day. While the rate of scraping is reduced, it is still a grim scenario to have public data exposed and available to be exploited by anyone willing to access the API.