6 lessons from Venmo’s lax approach to API security

Earlier this summer time, a pc science scholar was ready to entry info on seven million Venmo transactions, together with the total names of individuals sending cash by way of the platform. Last 12 months, one other researcher was ready to obtain greater than 200 million transactions.

This wasn’t a case of somebody exploiting a vulnerability to hack right into a system, or an organization by accident leaving a database in full public view. Venmo made the information accessible by providing a public software programming interface (API) — that enables the general public to obtain the information. The out there information consists of names and transaction descriptions. Some transaction descriptions embrace particulars of unlawful drug exercise.

Divorce attorneys and IRS auditors may additionally doubtlessly make use of this info, says Keith Casey, API drawback solver at Okta, an entry administration firm. “As a security issue, it also creates the opportunity for malicious actors to use this publicly available payment record for social engineering attacks,” he added. “With 40 million active users, Venmo’s APIs are an unlocked front door to a treasure trove of insights.”

Venmo is not alone. APIs are a serious security headache for a lot of…


Source link

Leave a Comment

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial

Enjoy this blog? Please spread the word :)