Venmo privacy finally being fixed eight years after ‘alarming’ fails

Source Domain: 9to5mac.com

Problems with Venmo privacy were first highlighted way back in 2018. A security researcher demonstrated how the API could be used to obtain an alarming amount of personal data about users of the digital cash app.

A related vulnerability was still in place in 2024 when it was used to highlight potentially embarrassing information about JD Vance. A new report says that the company is very belatedly fixing the problem …

The problem has been that both Venmo transactions and the messages which accompany them have been public by default, along with your contacts in the app. A security researcher who analyzed more than 200 million transactions gave five illustrative stories about the embarrassing level of information revealed.

This included the transactions of a cannabis dealer, and a couple seemingly living a soap-opera relationship.

“Please leave me alone,” said the woman, who Do Thi Duc refers to as Susana.

“I just love you. I’m sad that you don’t understand,” replies the man.

In a later exchange, he says: “It’s pretty damn clear that you were using me all along. Took me a while to figure that out.” The next morning, he’s repentant. “I’m sorry. I take everything I said back.”

Venmo did later offer the opportunity to keep your contacts private, but this still wasn’t set as the default. That saw the issue hit the news again in 2024 when it revealed a contradiction between JD Vance’s claimed scorn for the elite with his own extensive network of contacts.

[His] public Venmo account gives an unfiltered glimpse into his extensive network of connections with establishment GOP heavyweights, wealthy financiers, technology executives, the prestige press, and fellow graduates of Yale Law School—precisely the elites he rails against.