An attacker could easily find a list of the people that their target most frequently interacts with, as well as that person's common spending habits. Though it’s possible that many of these were jokes-admittedly, my friends do this-if those descriptions were accurate, an attacker may be able to use such information for blackmail.īut the most likely cyberattack to be conducted using Venmo data is spearphishing-and the amount of specific information available via the app would make for a very convincing phish. A quick search for a few drug names and slang terms turns up hundreds of transactions.
Since Venmo facilitates the transfer of money, there’s also the possibility that the money is being exchanged for non-legal goods. After some experimenting, I found that I could make two requests for transaction data per minute, per IP address. To my surprise, this endpoint was accessible even outside the app, with no authorization needed.
I could see a public API endpoint that was returning the data for this feed, meaning that anyone could make a GET request (like a simple page load) to see the latest 20 transactions made on the app by anyone around the world. I noticed that when you open the Venmo home page, you’re shown a live feed of transactions being made by strangers. Venmo is owned by PayPal, which has a public bug bounty program-that is, it pays hackers to report security vulnerabilities in its products.Īfter proxying my phone traffic through my laptop, I watched the network traffic as I navigated through the app. I was a grad student studying information security at the time, and I thought I might make some extra cash. Last summer, after paying my portion of the electric bill via Venmo, I started to wonder if there were holes I could poke in the app. Dan Salmon is a masters graduate from Minnesota State University who specializes in information security.
0 kommentar(er)
