Venmo’s privacy issues first came to light in 2018. A security researcher demonstrated how the API could be used to obtain an alarming amount of personal data about the digital payment app’s users.
A related vulnerability was still in place in 2024 when it was used to highlight potentially embarrassing information about JD Vance. A new report says the company is fixing the problem very late…
The problem is that Venmo transactions and the messages that accompany them are public by default, as are your contacts in the app. A security researcher who analyzed more than 200 million transactions has given five stories illustrating the embarrassing level of information revealed.
This included the dealings of a cannabis dealer and a couple apparently in a soap opera relationship.
“Please leave me alone,” said the woman, whom Do Thi Duc calls Susana.
“I just love you. I’m sad you don’t understand,” the man responds.
In a later exchange, he says: “It’s very clear that you used me from the beginning. It took me a while to understand that.” The next morning he repents. “I’m sorry. I take back everything I said.”
Venmo then offered the option to keep your contacts private, but that still wasn’t set by default. This saw the issue make the news again in 2024 when it revealed a contradiction between JD Vance’s claimed contempt for the elite and his own extensive network of contacts.
(His) public Venmo account provides an unfiltered glimpse into his vast network of relationships with Republican establishment heavyweights, wealthy financiers, tech executives, the prestigious press and fellow Yale Law School graduates, precisely the elites he attacks.
Venmo privacy is finally fixed
Parent company PayPal claimed at the time that it was a feature rather than a bug and refused to fix it. However, the company ultimately appears to have changed its mind, telling The edge that it changes the default privacy settings.
Venmo is beginning to test a major overhaul of its app, and as part of the changes it will implement a major new privacy measure: The onboarding process for new users will set their posts to only be visible to their friends by default instead of being public.
The default setting will be friends, but you can change it to “just me”. It is still unclear whether the contacts will be publicly visible or not.
The article states that the new app will be rolled out over the next few weeks.
Image: 9to5Mac/Venmo/Sincerely Media
FTC: We use automatic, revenue-generating affiliate links. More.