
Venmo messed up again Venmo API Wrapper - mmohades
https://www.reddit.com/r/Python/comments/f8176b/venmo_api_wrapper/
======
atymic
I'm a bit confused at these "Issues"

> Unfortunately, the Venmo team doesn't seem like they care about their users'
> security and data privacy, and they are not validating SSL certificates.

Looking at the code, the client talks to
[https://api.venmo.com/v1](https://api.venmo.com/v1) (over TLS). It's up to
the client to validate the cert, so this statement makes no sense.

> I should mention that Venmo sends your email address and password as plain
> text when you log in.

It is sent over TLS, which is NOT plain text. The author has no idea what they
are talking about.

~~~
detaro
> _It 's up to the client to validate the cert, so this statement makes no
> sense._

Given that they talk about reverse engineering the app, maybe they mean the
official app not doing it. Not that a post about an API wrapper on a
programming forum is a good place to communicate that.

~~~
atymic
Ahh, yes they might mean the app isn't using certificate pinning.

Irrespective, you have install a root certificate on your phone, which
generally has pretty clear warning on the risks.

Certificate pinning can always be bypassed anyway, security through obscurity
isn't security.

