Representational image.  |  Photo Credit: PTI
- Not long after the rollout of the feature, security researcher Rachel Tobac discovered a serious privacy vulnerability that, it ought to be said, should have been picked up by Twitter’s developers right at the outset
- The researcher discovered that, if a user sought to use PayPal to send someone money, their home address was revealed
- The US Federal Trade Commission’s chief technologist Ashkan Soltani also found that using the PayPal route may reveal a sender’s email address even without a transaction taking place
Hugely popular microblogging platform, Twitter, last Friday, took another step to consolidate that popularity unveiling a new monetisation feature for content creators dubbed ‘Tip Jar.’ As the name suggests, the feature allows users to donate sums of money to their preferred content creators on the platform via online payment mechanisms.
Although the platform is yet to roll out the feature in India at the moment, the latest reports indicate that the company is already in talks with Indian payment services towards doing so in the near future.
At first glance, the feature appears simple enough. Enjoyed a tweet? Looking to show your appreciation to the creator? Great, all you need to do is click on the Tip Jar icon beside the Follow button upon which you will be provided with a list of payment platforms integrated into Twitter and enabled by the tweet’s originator in question. You just need to select one of the options, choose the amount you wish to send across, and initiate the transaction.
“Tip Jar is an easy way to support the incredible voices that make up the conversation on Twitter. This is a first step in our work to create new ways for people to receive and show support on Twitter – with money,” said Esther Crawford, a senior product manager at the company, via Twitter’s blog. Currently, payments are allowed via Venmo, PayPal, Bandcamp, Patreon and Cash App.
But not long after the rollout of the feature, security researcher Rachel Tobac discovered a serious privacy vulnerability that, it ought to be said, should have been picked up by Twitter’s developers right at the outset.
The researcher discovered that, if a user sought to use PayPal to send someone money, their home address was revealed. What’s more, the US Federal Trade Commission’s chief technologist Ashkan Soltani also found that using the PayPal route may reveal a sender’s email address even without a transaction taking place.
One of the key reasons why Twitter has managed to amass millions of users in such a short span of time is due to the high levels of anonymity that the platform provides. Jeopardising this anonymity could then turn many of its most active users away from the site. As per latest reports, the vulnerability has only been found when using the PayPal option but, given that there are ways to use PayPal without revealing one’s home or email address, it is surprising that Twitter’s developers didn’t spot the problem before unveiling the feature.
The default payment option on PayPal is one dubbed the ‘Goods and Services’ workflow, specifically made for items that travel by post hence the need for a home address. For a payment like that which Tip Jar encourages, users have to navigate to a different payment mode called ‘Paying for an item or service’ before selecting ‘Sending to a friend’ – an option that isn’t particularly intuitive.
Furthermore, the problem doesn’t just arise for those looking to send money but could crop up for those looking to receive donations as well. If a user does not have a username on PayPal, the payment service, by default, reveals his/her email address.
Replying to Tobac’s concern, Twitter product lead Kayvan Beykpour tweeted, “this is a good catch, thank you. We can’t control the revealing of the address on Paypal’s side but we will add a warning for people giving tips via PayPal so that they are aware of this.” However, in view of the multitude of growing concerns over privacy dilution in and around social media, one can’t help thinking that the latest, completely avoidable, snag says a great deal about the level of focus Twitter devotes to privacy and user data security. It also, crucially, serves as a reminder of how easy it is to reveal sensitive personal data if you don’t remain vigilant on the internet at all times.