Researcher Publishes 7 Million (Still Public) Venmo Transactions on GitHub

Remember the outrage last year when a researcher discovered that for Venmo's 40 million users, all transactions are "public" by default and broadcast on Venmo's API?

More than a year later, computer science student Dan Salmon has demonstrated that it's still incredibly easy to download millions of transactions through Venmo's developer API without obtaining user permissions (without even using the Venmo app).

He proved this by downloading 7 million of them," TechCrunch reports: Dan Salmon said he scraped the transactions during a cumulative six months to raise awareness and warn users to set their Venmo payments to private... Using that data, anyone can look at an entire user's public transaction history, who they shared money with, when, and in some cases for what reason -- including illicit goods and substances.

"There's truly no reason to have this API open to unauthenticated requests," he told TechCrunch. "The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that's your goal then you should require a token with each request to verify that the user is logged in."

He published the scraped data on his GitHub page.

That is a lot of data that will be pubic forever

[SuperKendall]

Looked at the the GitHub page, it's a gig compressed and 10GB uncompressed - a MongoDB BSON file.

Looks like there's no need to rush to download though since they have a torrent up for it, the dataset will be floating around until the end of time.

Great news for historians, imagine if video recordings of Roman baths had been made for years on end and then torrented. How much you can learn about real society through observation of the most casual behavior.

Re:

[6Yankee]

Might want to edit out that apostrophe of yours.

That is what scientific misconduct looks like

[gweihir]

If it were up to me, that person would never get a degree for gross ethical misconduct. You do _not_ publish personal data of this type unanonymized. An anonymized version would still have proven his point nicely. Instead he does this. Unacceptable.

I agree...

[SuperKendall]

Yeah, I thought it was not well thought out to publish all this and not scrub anything. Doesn't seem like a great idea from a legal standpoint either.

And like I said in my other post, the cat is really out of the bag with a torrent being up on this... this data file is essentially out there forever now.

I do wonder if this means App Store review needs to do more to validate security around data calls, the fact they didn't use tokens for data requests seems like something that could be detected and asked ab

Whose standards, for whom?

[Anonymous Coward]

Good thing venmo isn't going for a degree but is a company and therefore has no ethical whatnots to worry about whatsoever, eh.

Arguably that data was already public, so scrubbing it would not matter much. Certainly it was already known that this thing existed AND transactions are "public" by default AND venmo didn't do squat the first time they were called out on their practice. Thereby, a case could be made that their users should have known that their details were being published like that already, have b

Re:

[Anubis IV]

If it were up to me, that person would never get a degree for gross ethical misconduct.

Sheesh, they have degrees for everything now. Or, wait, is that what they’re calling MBA degrees these days?

Re:

[hai_Priesty]

Reply to undo the wrong mod. LOL.

Re:

[nnull]

What about all the EDI stuff that gets published in the clear? All because it will break compatibility with whatever software the company you're dealing with uses.

I'd say about 99% of my customers all uses EDI that is transmitting personal data in the clear, because that's what they want and it irks me that I have to make my software conform to that. The whole damn system is broken and nobody cares.

Oops, did I mention something that someone is going to check now?

What does anonymization look like?

[tepples]

What kind of anonymization would have been sufficient? The sort of anonymization that Netflix did for its Cinematch improvement contest [wikipedia.org] turned out not to be sufficient to satisfy the Video Privacy Protection Act, as researchers from the University of Texas were able to ID individual users.

Re:

[gweihir]

Since you do not need to be able to reverse the anonymization or keep statistical properties, just blank personal information completely.

From the JSON sample on the git-page, leaving in only the tech-ids and timestamps would be more than enough to verify the data is genuine. The tech-ids could also be cut down to half or less digits so nobody can guess them. Even only the timestamps would probably be enough to prove the data is genuine.

The problem with most anonymization is that you need to keep being able

Re:

[AmiMoJo]

It's already been published, that's how Venmo works. By default every transaction you make is published on a public feed for anyone to read. The API just makes scraping a little easier, but anyone could do it via the web too. People who have set their transactions to private are not in the dataset because the API doesn't offer them up.

This was warned about over a year ago, when someone else released 200 million transactions that they scraped. That boat sailed long ago.

The scandal here is that Venmo has done

Re:

[dcollins117]

Perhaps some of that outrage should be reserved for Venmo, who made the data public in the first place.

Geez.

[h33t l4x0r]

That's almost as long as a CVS receipt.

Researcher publishers?

[CrimsonAvenger]

I'm assuming this was another shining example of the high quality editing our editors do, day in and day out.

Though it's always possible that someone is publishing researchers somewhere, I suppose....