Venmo transactions are still easily obtained according to computer science student Dan Salmon, who says that he accessed millions of transactions over a six-month period in an effort to raise awareness about privacy on the popular PayPal-owned peer-to-peer payments service.
Last year, researcher and Mozilla fellow Hang Do Thi Duc called attention to the ease with which Venmo transactions can be accessed through its API. Do Thi Duc was able to download more than 200 million transactions and created a website, Public by Default, to demonstrate just how much transaction data can reveal about individuals.
Following Do Thi Duc's exposé, Venmo, which makes users' transactions public by default, rejected calls to embrace so-called "privacy by design" but did take some actions to educate users on privacy settings. It also changed functionality in its app that appeared to discourage users from making their transaction history private when they attempted to do so and added new limits to its API that in theory make it more difficult for developers to download vast amounts of historical transaction data.
But even with those limits, Salmon says he was able to download some 57,600 transactions per day without even having to authenticate with Venmo's APITrack this API. "There’s truly no reason to have this API open to unauthenticated requests," he told TechCrunch. "The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in."