Online payments company PayPal has come under fire after a UX designer stripped the Venmo app's API to the bare bones and found over 207 million transactions and personal information in 2017 which are all openly accessible to the public.
German-born Vietnamese designer Hang Do Thi Duc had started to question why Venmo, a person-to-person payments service, set personally identifiable information and transaction history by default. Seeing financial transactions of users in public, it daunted her, so she set off to tear down the Venmo API from 2017.
"One would think that when it comes to money, privacy by design is of greater importance and higher demand," Hang wrote in Public by Default, a blog dedicated to this issue.
But Venmo is not just a mere payments app; it doubles as a social networking app where you get to connect with friends and people you love. Venmo, by default, shows real names, profile links (where previous transactions are documented), Facebook IDs, and a network of friends.
"Many products that we use on a daily basis make it more difficult than it should be to protect our privacy, our most personal information. Many of these products share data (publicly) by default. Venmo is an example of one of these products.
Unless a smart and savvy app user turns his/her personal information and transactions into private, chances are all in-app activities are an open secret for about 7 million Venmo users to behold. These include what people are buying and who they are sending money to, and all the whys behind it.
Based on the public API that Hang broken down into pieces, she found a total of 207,984,218 transactions. According to her, by reading user profiles and transactions, she learned "an alarming amount about them." From drug dealers to feuding couples, Hang said she had seen it all.
I wonder how many people using Venmo realize that their full name, picture, the recipient and more is all public information? I mean, here’s the last 100 payments made using Venmo returned in JSON. This architecture boggles my mind. https://t.co/Vv3SV4DfGJ
— Mike Rundle (@flyosity) July 17, 2018
Amid criticisms and the bad press it is getting, PayPal Holdings, the company that acquired Braintree along with Venmo in 2013, has remained silent about the issue.
"Why include all this information, when essentially the only interesting part is the message? If you -- as a company -- actually care about your users and their privacy you would ask this of questions," Hang asked.
PayPal is yet to respond on the matter.