10/5/2023 0 Comments Download venmo plaid![]() ![]() Unsurprisingly, I'm not the first to expose the potential for using Venmo data to carry out hacks. For example, if Andy frequently interacts with Shannon to pay for concert tickets, an attacker could craft a highly believable phishing message for Andy that looks like Shannon is sharing information about a concert with him and that he should log in to his Ticketmaster account to view it. An attacker could easily find a list of the people that their target most frequently interacts with, as well as that person's common spending habits. ![]() ![]() Though it’s possible that many of these were jokes-admittedly, my friends do this-if those descriptions were accurate, an attacker may be able to use such information for blackmail.īut the most likely cyberattack to be conducted using Venmo data is spearphishing-and the amount of specific information available via the app would make for a very convincing phish. A quick search for a few drug names and slang terms turns up hundreds of transactions. Since Venmo facilitates the transfer of money, there’s also the possibility that the money is being exchanged for non-legal goods. After some experimenting, I found that I could make two requests for transaction data per minute, per IP address. ![]() To my surprise, this endpoint was accessible even outside the app, with no authorization needed. I could see a public API endpoint that was returning the data for this feed, meaning that anyone could make a GET request (like a simple page load) to see the latest 20 transactions made on the app by anyone around the world. I noticed that when you open the Venmo home page, you’re shown a live feed of transactions being made by strangers. Venmo is owned by PayPal, which has a public bug bounty program-that is, it pays hackers to report security vulnerabilities in its products.Īfter proxying my phone traffic through my laptop, I watched the network traffic as I navigated through the app. I was a grad student studying information security at the time, and I thought I might make some extra cash. Last summer, after paying my portion of the electric bill via Venmo, I started to wonder if there were holes I could poke in the app. Dan Salmon is a masters graduate from Minnesota State University who specializes in information security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |