Partiful Exposed User Locations in Uploaded Photos

The social event planning application Partiful has rapidly become the preferred platform for organizing parties, effectively displacing Facebook as the top choice for digital invitations. Known for its retro, vibrant invitation designs and straightforward RSVP process, the app has climbed to number nine on the iOS Lifestyle charts and earned Google’s recognition as the best app of 2024. However, this surge in popularity has brought increased scrutiny to the company’s data handling practices.

Partiful functions much like a modern social graph, revealing extensive details about users’ friendships, activities, and contact information. As its user base expanded, concerns emerged about the backgrounds of its founders and staff. Several are former employees of Palantir, Peter Thiel’s data analytics firm, which has provided technology to U.S. Immigration and Customs Enforcement. This connection prompted at least one New York promoter to publicly boycott the app.

In response to user speculation, TechCrunch conducted tests on a new Partiful account. Investigators discovered that the platform was failing to remove location metadata from photos uploaded by users, including those set as public profile pictures. Using standard web browser developer tools, anyone could access the original images stored on Partiful’s Google Firebase database. If a photo contained embedded GPS coordinates, those precise location details remained accessible.

Digital images captured on smartphones typically include metadata, details such as creation date, camera type, and sometimes exact latitude and longitude. Most responsible platforms automatically strip this data during upload to protect user privacy, but Partiful was not following this common security practice.

To confirm the vulnerability, TechCrunch uploaded a profile picture taken outside San Francisco’s Moscone West Convention Center, which included specific location coordinates. Even after being stored on Partiful’s servers, the image retained its exact GPS data, accurate to within a few feet. This kind of exposure could potentially reveal sensitive locations like a person’s home or workplace, particularly in less densely populated areas.

After identifying the security flaw, TechCrunch notified Partiful co-founders Shreya Murthy and Joy Tao by email, as the company does not provide a public channel for reporting such issues. The team shared a link to a user’s profile photo that displayed a residential address in Manhattan. Tao acknowledged the problem, noting it was already on the development team’s radar and scheduled for repair.

Although Partiful initially projected a fix for the following week, the company accelerated its response and resolved the issue by Saturday. TechCrunch verified that metadata had been successfully removed from both existing and newly uploaded user photos. Partiful publicly disclosed the security lapse via Twitter just before this story was published.

When questioned about whether the company could determine if user photos had been accessed inappropriately, spokesperson Jess Eames stated the matter remained under investigation, though no evidence of misuse had been found. Eames also mentioned that Partiful conducts regular security reviews with external experts as part of its ongoing operations, though the company declined to name those experts when asked.

Since its launch in 2022, Partiful has secured more than $27 million in venture funding, including a $20 million Series A round led by Andreessen Horowitz. When asked whether a security review was conducted prior to the app’s public release, the co-founders did not provide a response.

(Source: TechCrunch)