On Thursday, Twitter started rolling out a new feature called Tip Jar that allows users to send money to other users. Right after users started noticing the new feature, security and privacy researchers found some potential risks for both people who send the tips and people who receive them.
Rachel Tobac, the CEO of SocialProof Security, found that when somebody sends a tip via Paypal—one of the services that Twitter uses for this feature—the receiver gets the tipper’s address in the receipt.
Videos by VICE
“PayPal needs to make it crystal clear which data is given to money receivers and stop sharing that data, & Twitter needs to educate users who don’t realize what info tip receivers get when using PayPal,” Tobac wrote in a tweet.
Tobac told Motherboard that “while some may say ‘well just make sure you are safe before sending!’ Twitter folks are particularly at risk because they’re already expecting to be able to be anonymous on the platform, and there are so many vulnerable populations on Twitter.”
A Twitter spokesperson told Motherboard in an emailed statement that the company is “updating our in-app notification and Help Center article to make it clearer that other platforms, per their terms, may share information about people sending tips to one another.”
Kayvon Beykpour, Twitter’s product lead, thanked Tobac in a reply and added that “we can’t control the revealing of the address on Paypal’s side but we will add a warning for people giving tips via Paypal so that they are aware of this.”
Tom Hunter, a spokesperson for Paypal, told Motherboard in an email that there are two different ways to send money via Paypal. Users can send payments as “Goods and Services” which will automatically share their address with the recipient or send payments as “Friends and Family” which does not share the address with the recipient. “If some, for example, has a business account that is primarily used for selling or other goods and services, their account payment type is likely to default to Goods and Services.”
“This is the standard functionality of the PayPal app and we will work with Twitter closely to ensure user awareness,” Hunter added.
In a test, Motherboard saw that when trying to send a payment to a Twitter user, Paypal let us choose which kind of payment to send, but “Sending as Friend” was checked as the default.
Privacy and security researcher Ashkan Soltani found another separate privacy issue with the tipping system. According to him and a test video he posted, a user can find out the recipient’s email address that’s linked to their Paypal even if the user never sends them money.
“It’s incredibly frustrating when tech companies ilke Twitter and Facebook unleash untested products onto a hapless public, particularly when the problems they introduce can cause significant harm to both digital and physical safety,” Ashkan Soltani, who used to be the Federal Trade Commission’s chief technologist, told Motherboard in an online chat. “Lots of folks prefer to keep their ‘real world’ identities private for a variety of reasons (safety, liability, persecution)—particularly when they can potentially lose their jobs or be persecuted for their views on social media / Twitter. You would think for a company like Twitter, who is under order with the FTC for failures related to data security (a case I personally worked on), they would be mindful of these types of privacy and security risks when they release new features.”
Twitter and Paypal did not immediately respond to a request for comment about Soltani’s finding.
Additional reporting by Joseph Cox
This story has been updated to include a quote from Rachel Tobac.
Subscribe to our cybersecurity podcast CYBER, here.