Venmo users are going through another privacy nightmare, as the platform has a logic loophole that exposes old profile photos uploaded by users years ago, and there’s no way to delete or hide them from public access. In fact, these photos are profile images that new ones replaced at some point. When someone does that, the natural assumption is that the old profile image is wiped, but in the case of Venmo, it isn’t.
According to a BuzzFeed News report, accessing these images is as simple as making a small edit onto the URL of the profile view page of the target user. By using this trick, one can go back to the previous profile image, and the one that came before it, and literally all images that a user uploaded ever since they created their Venmo account. This may sound like nothing serious as profile images were uploaded with the intention to be part of the public infosphere, but there are a million reasons why someone would want these pictures gone in the future.
Venmo is a mobile payment service owned by PayPal, and it’s a very popular peer-to-peer transaction platform in the United States. In August 2019, EFF urged the parent company to push Venmo to change its privacy-undermining default account settings. In July 2018, a Mozilla researcher found a vulnerability in Venmo’s public API, which made all transaction data accessible for scraping. In fact, Clearview AI included Venmo’s API in its massive scraping campaign as Venmo failed to address the issue even after a full year following the public disclosure.
So, is the company willing and ready to deal with the newly surfaced issue quicker? Caitlin Girouard, a spokesperson for PayPal, shared the following statement with BuzzFeed News:
We don’t know what to make of this, but it doesn’t sound like a convincing affirmation of the problem, which would be the first step in going about resolving it. The particular bug is indicative of Venmo’s general approach when it comes to user privacy and security, as it is just another unlocked door to enter what should be a realm of privacy. On Venmo, such distinctions and separating layers just aren’t there and never were.