Most organizations entrusted with the protection of some form of sensitive and valuable information and the exact nature of this data can vary dramatically from sensitive internal data (like research and development reports) to social media posts to payment card information of its customers.
Regardless of the nature of the data, the organization is responsible for protecting it from leaking in a data breach or may face repercussions under data protection laws like the General Data Privacy Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
One of the biggest challenges in protecting sensitive data can be ensuring API security. Application Programming Interfaces (APIs) are design to be gateways that allow easy access to an organization’s sensitive data repositories to authorized parties. These APIs are designed to be easily accessed using automated scripts, which makes them valuable to legitimate users and hackers alike.
Unfortunately, there are a number of case studies regarding what happens when API security goes wrong, and an extreme example comes from Venmo. In Venmo’s API, users’ sensitive payment data isn’t compromised by a data leak so much as intentionally sprayed out by an API for anyone who asks for it.
What is Venmo?
Venmo, a mobile payment platform owned by PayPal, is designed to make transferring money online faster and easier, especially for quick one-time payments. One way that this is accomplished is by enabling transfers between any users of the Venmo app. These person-to-person transfers are extremely useful for settling payments between friends or colleagues.
Venmo also enables users to perform person-to-merchant transactions, making it a viable alternative to traditional payment systems (payment cards, etc.). As a result, Venmo has gained a large community of users, making its poor security and data leaks a very troubling issue.
The Venmo Data Leaks
As a payment platform, the data collect by Venmo to settle payments can be extremely sensitive. However, Venmo has decided that the transactions made by their users should be publicly accessible unless their users explicitly specify otherwise.
The data leaks on the Venmo platform have exposed by a series of security researchers. Venmo provides a public API through which anyone can monitor a stream of the transactions marked as “public” by users. By default, all person-to-person transactions are public, but person-to-merchant or transactions where the user has explicitly set their profile to private are not exposed on the API.
A live stream of public Venmo payments can access via their API. While the number of payments visible on the page limited. Regular scraping of the API data can provide a dataset with a large amount of sensitive information, including:
1. The user’s Venmo username
2. The user’s full name
3. A picture of the user
4. Payment details (parties involved, reason)
While it’s not possible to see the exact amount of the payments. Even the leaked information can pose a significant security risk for Venmo users. The ability to extract full names and payment patterns can be extremely useful in profiling a user for spear phishing or other cyberattacks. This data can also be useful as a starting point in building a more complete profile of a target for use in identity theft.
While these data leaks have reported to Venmo and published on multiple occasions. Venmo has decided not to fix the issue. Since Venmo targets the US market and the US does not have a national data privacy regulation, the probability of Venmo being held accountable for leaking sensitive data in violation of data protection laws like the GDPR is extremely low. As a result, the responsibility of securing their Venmo payment data lies in the hands of its users. Since the default option is to leave transactions as public and (presumably) many Venmo payments made in a hurry, this doesn’t bode well for user privacy on Venmo.
Takeaways for API Security
While Venmo’s data leaks via their API are intentional. They underscore the importance of good API security for any business dealing with sensitive user data. As customers’ personal data becomes more valuable to hackers, individuals and governments are increasingly calling for data privacy. As a result. Data privacy regulations like the GDPR and CCPA have come into existence in recent years to help protect customer data.
Since APIs are intentionally designed to provide easy access to potentially sensitive data, securing them is a priority. While Venmo intentionally makes transaction data publicly available via their API by default. Most organizations want to protect access to this sensitive (and valuable) data.
The issue with securing web APIs is that it is a challenging problem to solve. APIs act as a direct connection between the user and repositories of valuable (and possibly legislatively protected) data. Making them a prime target for hackers. Ensuring that a simple flaw in an API’s code doesn’t become the cause of a major data breach. It should be a high priority in any organization’s data protection strategy.
Deploying a strong API security solution is a vital component of accomplishing this goal. While secure coding is important, especially for APIs, a simple mistake can leave the API open to compromise. Investing in a good API security solution can ensure that a minor mistake doesn’t lead to a major data breach.