March 27, 2015
Single purpose API
Sorry, No followers
Mobile payment service Venmo, which is owned and operated by PayPal, abruptly shut off new developers from its public API, which handles payment invoices and distribution of receipts to external web services. Venmo had created confusion after first stating that it was shuttering its API altogether.
The way the Square API delivers JSON output makes it possible for an attacker to engage in a cross-site scripting (XSS) under certain circumstances. The vulnerability was discovered by security researcher Ajay Chavda and reported to Square on August 7, 2015 through its bounty program on hackerone.