Tuesday, June 18, 2019
As consumers share everything from restaurant dinners to dental visits on social media, security advocates recommend updating privacy settings on mobile apps and social media platforms. Failure to do so may expose more details than most users would want to share, experts warn. In a June 16, 2019, blog post titled “Millions of Venmo transactions scraped in warning over privacy settings,” TechCrunch security editor Zach Whittaker reported that hacktivist Dan Salmon uploaded 7 million Venmo transactions to GitHub, primarily as a consumer wake-up call.
Whittaker noted that Salmon, a computer science student, wanted to draw attention to Venmo’s default settings, which render all transactions public. It took Salmon six months to compile the data. “The peer-to-peer mobile payments service faced criticism last year after Hang Do Thi Duc, a former Mozilla fellow, downloaded 207 million transactions,” Whittaker wrote. Despite these actions, Venmo has made no changes to default settings, he stated.
Salmon said he used Venmo’s public API to mine transaction data. On June 12, he released the dataset on GitHub, demonstrating that anyone can grab the publicly available data without even using an API key. “There is some very valuable data here for any attacker conducting OSINT [open-source intelligence] research,” he wrote on GitHub.
“Venmo purposely designed this functionality into their app in an effort to increase user engagement – it isn't exactly a security vulnerability,” Bakken said. “Last summer, a spokesperson said some users enjoy opening up the app to see what friends, families or strangers are purchasing via Venmo.”
Ameya Talwalkar, co-founder and chief privacy officer at Cequence Security, pointed out that scraping attacks can be difficult to detect and wreak havoc on business environments and public infrastructure. “Many of today’s hyper-connected organizations are faced with the challenge of how to address content scraping attacks in an efficient and scalable manner,” he said. “The impact of this attack can be wide-ranging, starting from overspending on infrastructure to devastating loss of intellectual property.”
Content scraping attacks are also difficult to prevent, Talwalkar stated, because they can happen anywhere within a domain, which forces businesses to inject bot mitigation tools into every web application and endpoint. These attack vectors are dynamic in nature, which helps them rapidly scale while eluding detection. When scraping attacks face resistance from Web applications, they can simply switch to API endpoints to achieve their goal, he added.
“Scraping attacks leverage application APIs and endpoints,” he said. “The use of API endpoints is rapidly becoming a critical element in the move towards a more rapid, iterative application development workflow. The same information that may be consumed by mobile customers, partners, aggregators from a rich web-based interface is also available via the API endpoints.”
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.