Social event planning app Partiful, which calls itself “Facebook events for hot people,” has firmly replaced Facebook as the go-to platform for sending party invitations. But what Partiful also has in common with Facebook is that it’s collecting a tsunami of user data, and Partiful could have done better at keeping that data secure.
On Partiful, hosts can create online invitations with a retro, maximalist vibe, allowing guests to RSVP to events with the ease of ordering a salad on a touch-screen. Partiful aims to be user-friendly and trendy, propelling the app to #9 on the iOS App Store’s Lifestyle charts. Google called Partiful the “best app” of 2024.
Now, Partiful has evolved into a powerful Facebook-like social graph, easily mapping who your friends are and who your friends’ friends are, what you do, where you go, and all of your phone numbers.
As Partiful grew more popular, some users became skeptical of the company’s origins. One New York City promoter announced that it was boycotting Partiful because its founders and some staff are former employees of Palantir, Peter Thiel’s data mining company, which produces the software that powers ICE’s master database for the Trump administration’s deportation crackdown.
Given some of the speculation around the app, TechCrunch set up a new account and tested Partiful. We soon found that the app was not stripping the location data of user-uploaded images, including public profile photos.
TechCrunch found it was possible for anyone, using only the developer tools in a web browser, to access raw user profile photos stored in Partiful’s backend database hosted on Google Firebase. If the user’s photo contained the precise real-world location of where it was taken, anyone else could have also viewed the precise coordinates of where that photo was taken.
Almost all digital files, like the pictures you take on a smartphone, contain metadata, which includes information like the file size, when it was created, and by whom. In the case of photos and videos, metadata can include information about the kind of camera used and its settings, as well as the precise latitude and longitude coordinates of where the image was captured.
The security flaw is problematic because anyone using Partiful could have revealed the location of where a person’s profile photo was snapped. Some Partiful user profile photos contained highly granular location data that could be used to identify the person’s home or work, particularly in rural areas where individual homes are easier to distinguish on a map.
It’s common practice for companies that host user images and videos to automatically remove metadata upon upload to prevent privacy lapses like this.
TechCrunch verified the bug ourselves by uploading a new Partiful profile photo that we had previously captured from outside of the Moscone West Convention Center in San Francisco, which contained the photo’s precise location. When we checked the metadata of the photo stored on Partiful’s server, it still contained the exact coordinates of where the image was taken down to a few feet.
... continue reading