I looked at the website before commenting just to be sure. Judging from the quality of the design (which, yes, I think is an appropriate way to arrive at this conclusion), I would not be surprised to find out that this is a couple recent college grads who don’t realize what this business entails.

Indeed. It also seems more like Plaid than ElcomSoft.

they can try to justify it all they want, using these apis still breaks multiple federal laws

i noted this in a previous thread with them, to which they replied if its your data you can access it which ever way you like. Which is like saying i can hack into my bankers computer remotely to view my account balance. Which is still illegal.

Using unapproved apis is unauthorized access to a computer or network, illegal in the US at least, which ever way you want to try and look at it

Remember both Plaid and Aaron Swartz did this, it can end if very different ways. Obviously the government can pick and choose who to send to jail, but that’s a risk

This is legal. See Teller API. Venmo will most likely lose if they take these devs to court based on precedent.

I don't like this trend of small time OSS devs being berated about legal bullying from megacorps, meanwhile handsomely VC-funded businesses get congratulated with legal help. We should be berating these companies of not releasing the APIs that people want to use!

We're in an age of AI, built atop agents, agents built atop APIs. APIs were the promise of Web 2.0, a promise being ripped away from us more and more by the day by these megacorps.

There should be a SPECIFIC legal funds/OSS unions protecting these Adversarial Interoperability projects and their maintainers from legal threat harassment by megacorps.

Just in the last 2 years we've had multiple near/passed-trillion dollar companies sending legal threats to OSS devs who have to fight them off on their own - one of them 15 years old.

Thank you alanalanlu and richardyhz for this project. Godspeed! And screw Venmo if they dare go after these two maintainers and their project!

I'd be surprised if this was even noticed at all.

It's a third-party client making authentication and data collection requests, just like the hundreds of other credential stuffing toolkits (OpenBullet et al.) that are smashing the Venmo platform 24/7.

The most likely outcome for anyone using this is their account becoming restricted for unusual access patterns by the existing models already in place.

I'd also be a bit worried about using something like this in production, especially if it's packaged as a npm lib. Even if the original maintainer has good intentions, it'd be all too easy for some malicious actor to offer them a million dollars to introduce a trojan/credential MITM scraper to later versions.

How do you think Plaid worked before banks got onboard with OAuth?

Former guy who used to reverse engineer Venmo/ other fintech/ bank APIs here. They really don’t care most of the time

We can handle 2FA during login. Regarding refreshing auth, it depends on the platform. We can help remain logged in nearly indefinitely on some platforms, while others would require users to re-login periodically.

Good question! You can get the bearer token from the cookies in the browser. We also offer a hosted service where we handle the entire integration (authentication and hosting).

Strong +1.

There’s no need to offer bad unsolicited legal advice on behalf of a mega corp. Just stop.

>And once captchas are introduced it's over. I wouldn't be surprised if stuff like captchas would be implemented more into websites to stop scrapers for good.

lol, not really. Captcha solving services like DeathByCaptcha and AntiCaptcha cost like $1.90 per 1,000 successfully solved captchas. They have APIs and you can easily implement them into your existing code in a few lines.

tl;dr = captchas do nothing and they also do nothing to stop scrapers. its a non-issue.

source: I scrape a lot of things and defeat captchas daily.

Goody idea in 2014 but it is 2024 and AI capabilities defeat nearly all "Prove you are a human" challenges.