Venmo is a peer-to-peer mobile app designed to make it easy to send and receive payments from friends. It is owned by PayPal — and it is no stranger to security issues.
In 2016, a security researcher discovered weaknesses in Venmo’s ‘reply-to-pay’ feature. The attacker would need physical access to the victim’s phone, but would not need to unlock it. In this instance, the attacker could use the Siri feature that allows users to reply to text messages from a locked device, and the text message preview feature that displays part of an SMS on the locked device’s screen — both of which features are enabled by default.
In this scenario, an attacker could send a ‘reply-to-pay’ message to his victim’s locked phone, and then use Siri to authorize the payment. As a result, the attacker could steal up to $2,999.99 per week from the victim. Ultimately, the Venmo developers responded by removing the SMS reply-to-pay function.
Last year, a Fellow at Mozilla, Hang Do Thi Duc, reported that she had scraped 207,984,218 Venmo transactions. This provided a considerable amount of personal information on the parties to the transaction. As an example, she described one user as ‘The Cannabis Retailer’.
“With access to the first name,” she wrote, “I could infer that this person was male. I was also able to determine that he operates out of Santa Barbara, California. You might wonder how: some of his customers have a Facebook URL as their profile picture which includes their Facebook ID and so it was easy for me to see where some of them, and therefore the protagonist of this story as well, live… He registered on January 24, 2017, a day before his first transaction, and had a total of ?943 transactions in 2017.”
This was possible through the developer API and the default public nature of the transactions recorded. The developers appear to consider Venmo as much a social media tool as a payment tool. Despite the severity of Hang Do Thi Duc’s findings, their response was primarily to change the product’s privacy guide and remove warnings when a user decided to change personal settings from public to private. Venmo, by default, provides a stream of its users’ transactions.
The result, as could be expected, is that little has really changed. Last week, researcher Dan Salmon posted more than 7 million new transactions scraped from Venmo onto GitHub. He scraped these between July and September 2018, in October 12018, and in January and February 2019.
“I am releasing this dataset,” he said, “in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research.”
While he has not posted any analysis of the scraped data, it is there ready for anyone to do so. And while it is unlikely that there will be explicitly named illicit transactions, there will be many that could easily be decoded. Discussing her ‘cannabis retailer’, Hang Do Thi Duc says, “Other frequent messages include delivery, order, pill, deciduous_tree, evergreen_tree and headband, ‘an exotic strain of marijuana’ (Urban Dictionary).”
She adds, “My hunch is that even the ?’grocery’? transactions refer to drug deals — there are 36 incoming transactions from 23 different people with this topic. No one I know buys groceries this way.”
So, despite the basic, probably unknowing lack of privacy, for many Venmo users, there is also the threat of extortion against drug sellers where cannabis is still illegal, and the discovery of cannabis retailers by curious teens. This particular retailer, it should be noted, works out of California where it is legal. But still…
The problem is easily solved. Even if Venmo has not made the default setting for Venmo ‘private’, users should seriously consider doing so themselves. There seems little benefit in telling the world where you spend your money and on what goods through a payment app.