Partiful Data Privacy Issue: GPS Location Data in Photos

Partiful: Data Security Concerns Emerge for Popular Event Planning App

The social event planning application, Partiful, marketed as a more exclusive alternative to Facebook Events, has rapidly gained prominence as a preferred platform for issuing party invitations. However, similar to its predecessor, Partiful amasses substantial amounts of user data, and recent findings suggest potential shortcomings in its data security protocols.

App Features and Rapid Growth

Partiful allows hosts to design visually appealing, retro-style online invitations, streamlining the RSVP process for guests. This user-centric and contemporary approach has propelled the app to the No. 9 position on the iOS App Store’s Lifestyle charts. Notably, Google recognized Partiful as the “best app” of 2024.

The platform has evolved into a robust social network, mirroring Facebook’s capabilities in mapping connections between users, tracking activities, pinpointing locations, and storing contact information.

Concerns Regarding Company Origins

As Partiful’s popularity surged, some users expressed reservations about the company’s background. A New York City event promoter initiated a boycott, citing the founders’ and certain staff members’ prior employment at Palantir, a data-mining firm associated with ICE’s deportation efforts under the previous administration.

Discovery of a Location Data Vulnerability

Following these concerns, TechCrunch conducted an investigation, creating a new account to assess Partiful’s security measures. The testing revealed that the app failed to strip location data from user-uploaded images, including profile pictures.

Using standard web browser developer tools, it was possible to access raw user profile photos directly from Partiful’s database, hosted on Google Firebase. If a photo contained precise location information, that data was also accessible.

Understanding Metadata and its Risks

Metadata, embedded within digital files like photographs, encompasses details such as file size, creation date, and creator. For images and videos, this metadata can include camera settings and, critically, the precise latitude and longitude coordinates where the image was captured.

This security flaw posed a risk, potentially exposing the location where a user’s profile photo was taken. In certain instances, profile photos contained granular location data that could reveal a person’s home or workplace, especially in less densely populated areas.

It is standard industry practice for platforms hosting user-generated content to automatically remove metadata upon upload to mitigate such privacy risks.

TechCrunch’s Verification of the Flaw

TechCrunch confirmed the vulnerability by uploading a new profile photo taken outside the Moscone West Convention Center in San Francisco. The metadata, including precise coordinates accurate to within a few feet, remained intact when the photo was stored on Partiful’s servers.

Reporting the Vulnerability to Partiful

Upon discovering the issue, TechCrunch contacted Partiful co-founders Shreya Murthy and Joy Tao via email, as the app lacked a publicly available security reporting mechanism. The communication included a link to a user’s raw profile photo revealing their residential address in Manhattan.

Partiful’s Response and Remediation

Joy Tao informed TechCrunch that the vulnerability was already known to the team and had been prioritized for a fix. Initially, a timeline of “next week” was provided, but TechCrunch requested a faster resolution given the sensitivity of the data. Partiful confirmed the bug was fixed by Saturday.

Subsequent verification by TechCrunch confirmed that metadata had been removed from existing user-uploaded photos, including the test image with location data.

Partiful publicly disclosed the security lapse via a tweet shortly before this report was published.

Investigation into Potential Data Access

When questioned about the possibility of unauthorized access to user profile photos, Partiful spokesperson Jess Eames stated that an investigation was underway, but no evidence of such access had been found yet.

Eames affirmed that the company “regularly [performs] security reviews with experts in the field” as an ongoing process. However, Partiful declined to disclose the names of these experts.

Funding and Security Review History

Partiful has secured over $27 million in funding since its inception in 2022, including a $20 million Series A round led by Andreessen Horowitz. TechCrunch inquired whether a security review had been conducted prior to launch, but the co-founders did not provide a response.