Twitter's new Tip Jar feature, which lets you send money to your favorite Twitter users, is nice, but it also has a glaring privacy issue which you should be aware of.
Security researcher Rachel Tobac has noticed that tipping someone via the Tip Jar might reveal your home address to that person, which is a potentially dangerous privacy problem (not to mention that it's completely unnecessary in most cases).
It doesn't happen in all instances. Tip Jar lets you choose a payment provider before you "tip" a Twitter user, and if you choose PayPal, the receiver will see your home address when they receive the tip.
Tweet may have been deleted
Twitter product lead Kayvon Beykpour has acknowledged the issue, saying that it's a problem on PayPal's side. "We can't control the revealing of the address on PayPal's side but we will add a warning for people giving tips via PayPal so that they are aware of this," he tweeted.
Shark RV2310 Matrix Vacuum With Self-Cleaning Brushroll—$179.99(List Price $299.99)
Samsung Galaxy Tab A9+ 10.9" 64GB Wi-Fi Tablet—$142.49(List Price $219.99)
Apple AirPods Pro 2nd Gen With MagSafe USB-C Charging Case—$168.99(List Price $249.00)
Fitbit Charge 6 Fitness Tracker With 6-Months Membership—$99.95(List Price $159.95)
Apple Watch Series 9 (GPS, 41mm, Midnight, S/M, Sports Band)—$279.99(List Price $399.00)
Tweet may have been deleted
According to PayPal (via Gizmodo), this only happens if you send the tip as "goods and services;" if you choose a different category, such as "friends and family," your address won't be shared. It also appears that this doesn't happen if you choose to tip using a payment provider other than PayPal.
SEE ALSO:PayPal to start allowing users to pay with cryptocurrenciesThis is not the only privacy issue on Tip Jar. According to technologist Ashkan Soltani, the Tip Jar feature reveals the recipient's email address, linked to their account, even when you don't send them money. Note that this is different from the issue above, which has to do with the sender's physical home address.
Tweet may have been deleted
Tip Jar is currently in beta and is not available to all users. Still, having your real name and home address (or even just the email address) revealed to strangers for no good reason is a pretty serious problem, even if it affects a small subset of users.
In its FAQ for Tip Jar, Twitter says the following: "When you add a third-party payment service to your profile, please note that your username on that service will be publicly linked to your Twitter account. Information about you, including your full name or address and your tip may be shared with the recipient or others, subject to the terms of the third-party payment service. Please review each service's terms for more details."
It's hard to tell, however, how many users will read this FAQ or be acquainted with PayPal's terms of services well enough to know that their address might be shared. Would it be too much to ask for Twitter to sort it out with PayPal and make sure it cannot happen?
TopicsTwitter