Venmo and the Web-Service Tool of my App

Venmo (about 1.5 million users) allows people to send payments to other Venmo accounts. Venmo belongs to PayPal and is quite popular in the US especially among young people. The Venmo service lacks (for some time and still) of essential security safeguards.  Most of Venmos accounts can be freely accessed via a Web-Service by anybody. It is completely unprotected. The information available from this Web-Service includes very private and intimate data including chat messages, picture and payment information. Venmo don’t see this as an issue as their users have the possibility to opt-out for data sharing with the public but most users are not aware about that.

Now, back to my App:

NetworkToolbox contains a Web-Service Tool and this Venmo security issue is a very nice example on how to use this Tool.

We know that the so called ‘endpoint’ for the Venmo Web-Service is https://venmo.com/api/v5/public?limit=x (where x is the number of accounts you like to receive).

To use this Web-Service, we first, open the Web-Service Tool and tap on the [=] button in the ‘Service:’ line.

On the following screen, we enter venmo.com as URL for the Endpoint. Next we enter /api/v5/public?limit=20 in the URL Parameter field and hit the check-mark button to save and close this screen.

Next, back on the main page of the tool, we enter 443 for port as this is a https:// connection.

Next, we hit the Get button and will see the following results:

So we have 20 data-sets as to be expected because of the limit=20 parameter. When tapping on the data line, you will see the details of these data-sets:

And when drilling further down you will see details about the person behind this account:

Including their picture:

Don’t trust the evil.

Marcus

P.S. A new update for my App will be available soon. Today I am finishing the tests, fix a few things that were reported from Beta testers (Thank you!!!) and once that’s done, I will send this update to Apple. This was indeed overdue.

P.P.S. My “Don’t trust the evil” signature was derived from Google’s “Don’t be evil”. As Google (aka Alphabet) now removed it’s slogan (probably for a reason) I wonder if I should find a new one as well ? – maybe not as this term still remains true whereas Google’s slogan was wrong all the time.