But the most likely cyberattack to be conducted using Venmo data is spearphishing—and the amount of specific information available via the app would make for a very convincing phish.
I asked myself “If I were an attacker and I had a specific target in mind, what could I glean about that person from this data? Is it useful to me? ” The answer is yes, there’s a fair amount of useful information here available for nefarious purposes.
In fact, several engineers who examined Venmo's API before me were able to dump much more data, much faster than I did, which suggests some infrastructure changes have been made by Venmo.
Initially, had no concrete plans for the data; having taken a fair number of courses involving data analytics and visualization, I thought it might be interesting to figure out which emoji was most frequently used in the transaction note. (Oddly enough, it’s the ????).
I could see a public API endpoint that was returning the data for this feed, meaning that anyone could make a GET request (like a simple page load) to see the latest 20 transactions made on the app by anyone around the world.
Unsurprisingly, I'm not the first to expose the potential for using Venmo data to carry out hacks.
Like many people, I use Venmo to pay for stuff: to split the check at dinner, to send my roommate my portion of the utility bills each month, to reimburse friends for concert tickets.
I noticed that when you open the Venmo home page, you’re shown a live feed of transactions being made by strangers.
Of course, most people using Venmo are aware that their transactions—typically represented with a short description or a series of emoji—are visible to anyone who searches their username.
For example, if Andy frequently interacts with Shannon to pay for concert tickets, an attacker could craft a highly believable phishing message for Andy that looks like Shannon is sharing information about a concert with him and that he should log in to his Ticketmaster account to view it.
Venmo is owned by PayPal, which has a public bug bounty program—that is, it pays hackers to report security vulnerabilities in its products.
I Scraped Millions of Venmo Payments. Your Data Is at Risk https://t.co/gwg4Z0KOvA— Digg Tech (@diggtech) June 26, 2019