![]() ![]() Since Venmo facilitates the transfer of money, there’s also the possibility that the money is being exchanged for non-legal goods. After some experimenting, I found that I could make two requests for transaction data per minute, per IP address. To my surprise, this endpoint was accessible even outside the app, with no authorization needed. I could see a public API endpoint that was returning the data for this feed, meaning that anyone could make a GET request (like a simple page load) to see the latest 20 transactions made on the app by anyone around the world. I noticed that when you open the Venmo home page, you’re shown a live feed of transactions being made by strangers. Venmo is owned by PayPal, which has a public bug bounty program-that is, it pays hackers to report security vulnerabilities in its products.Īfter proxying my phone traffic through my laptop, I watched the network traffic as I navigated through the app. I was a grad student studying information security at the time, and I thought I might make some extra cash. Last summer, after paying my portion of the electric bill via Venmo, I started to wonder if there were holes I could poke in the app. Dan Salmon is a masters graduate from Minnesota State University who specializes in information security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |