Social event planning app Partiful, which calls itself “Facebook events for hot people,” has firmly replaced Facebook as the go-to platform for sending party invitations. But what Partiful also has in common with Facebook is that it’s collecting a tsunami of user data, and Partiful could have done better at keeping that data secure.
On Partiful, hosts can create online invitations with a retro, maximalist vibe, allowing guests to RSVP to events with the ease of ordering a salad on a touch-screen. Partiful aims to be user-friendly and trendy, propelling the app to #9 on the iOS App Store’s Lifestyle charts. Google called Partiful the “best app” of 2024.
Now, Partiful has evolved into a powerful Facebook-like social graph, easily mapping who your friends are and who your friends’ friends are, what you do, where you go, and all of your phone numbers.
As Partiful grew more popular, some users became skeptical of the company’s origins. One New York City promoter announced that it was boycotting Partiful because its founders and some staff are former employees of Palantir, Peter Thiel’s data mining company, which produces the software that powers ICE’s master database for the Trump administration’s deportation crackdown.
Given some of the speculation around the app, TechCrunch set up a new account and tested Partiful. We soon found that the app was not stripping the location data of user-uploaded images, including public profile photos.
TechCrunch found it was possible for anyone, using only the developer tools in a web browser, to access raw user profile photos stored in Partiful’s backend database hosted on Google Firebase. If the user’s photo contained the precise real-world location of where it was taken, anyone else could have also viewed the precise coordinates of where that photo was taken.
Almost all digital files, like the pictures you take on a smartphone, contain metadata, which includes information like the file size, when it was created, and by whom. In the case of photos and videos, metadata can include information about the kind of camera used and its settings, as well as the precise latitude and longitude coordinates of where the image was captured.
The security flaw is problematic because anyone using Partiful could have revealed the location of where a person’s profile photo was snapped. Some Partiful user profile photos contained highly granular location data that could be used to identify the person’s home or work, particularly in rural areas where individual homes are easier to distinguish on a map.
It’s common practice for companies that host user images and videos to automatically remove metadata upon upload to prevent privacy lapses like this.
TechCrunch verified the bug ourselves by uploading a new Partiful profile photo that we had previously captured from outside of the Moscone West Convention Center in San Francisco, which contained the photo’s precise location. When we checked the metadata of the photo stored on Partiful’s server, it still contained the exact coordinates of where the image was taken down to a few feet.
TechCrunch’s profile photo containing GPS coordinates uploaded to Partiful. Image Credits:TechCrunch The location of where our Partiful profile photo was taken on a Google Map Image Credits:TechCrunch
After discovering the security flaw, TechCrunch alerted Partiful co-founders Shreya Murthy and Joy Tao by email, as Partiful does not have a public means for reporting security flaws. TechCrunch shared a link to a Partiful user’s raw profile photo containing that user’s real-world location at the time the photo was taken, a residential address in Manhattan.
Tao told TechCrunch on Friday that the vulnerability was “already on our team’s radar, and was recently prioritized as an upcoming fix.”
Partiful initially provided a timeline to fix the flaw by “next week,” but given the sensitivity of the data involved, Partiful fixed the bug by Saturday at TechCrunch’s request.
TechCrunch confirmed Saturday that metadata was removed from existing user-uploaded photos. The profile photo that we uploaded with our real-world location also had the metadata removed.
Partiful disclosed the security lapse in a tweet shortly before the publishing of this story.
When asked by TechCrunch if Partiful has the technical means, such as logs, to determine if there was any direct or bulk access to user profile photos stored in its database, Partiful spokesperson Jess Eames said this was “still under investigation but we have found no evidence of this yet.”
Eames said the company “regularly perform security reviews with experts in the field, not just as a one-time action but as part of our ongoing processes.” Partiful did not provide TechCrunch with the name of the experts when asked.
Partiful has raised over $27 million from investors since its founding in 2022, including a $20 million Series A funding round led by Andreessen Horowitz. TechCrunch asked Partiful’s co-founders if they had commissioned a security review of their product before launch, but would not say.