Social event planning app Partiful, which calls itself โFacebook events for hot people,โ has firmly replaced Facebook as the go-to platform for sending party invitations. But what Partiful also has in common with Facebook is that itโs collecting a tsunami of user data, and Partiful could have done better at keeping that data secure.
On Partiful, hosts can create online invitations with a retro, maximalist vibe, allowing guests to RSVP to events with the ease of ordering a salad on a touch-screen. Partiful aims to be user-friendly and trendy, propelling the app to #9 on the iOS App Storeโs Lifestyle charts. Google called Partiful the โbest appโ of 2024.ย
Now, Partiful has evolved into a powerful Facebook-like social graph, easily mapping who your friends are and who your friendsโ friends are, what you do, where you go, and all of your phone numbers.
As Partiful grew more popular, some users became skeptical of the companyโs origins. One New York City promoter announced that it was boycotting Partiful because its founders and some staff are former employees of Palantir, Peter Thielโs data mining company, which produces the software that powers ICEโs master database for the Trump administrationโs deportation crackdown.
Given some of the speculation around the app, TechCrunch set up a new account and tested Partiful. We soon found that the app was not stripping the location data of user-uploaded images, including public profile photos.
TechCrunch found it was possible for anyone, using only the developer tools in a web browser, to access raw user profile photos stored in Partifulโs backend database hosted on Google Firebase. If the userโs photo contained the precise real-world location of where it was taken, anyone else could have also viewed the precise coordinates of where that photo was taken.
Almost all digital files, like the pictures you take on a smartphone, contain metadata, which includes information like the file size, when it was created, and by whom. In the case of photos and videos, metadata can include information about the kind of camera used and its settings, as well as the precise latitude and longitude coordinates of where the image was captured.
The security flaw is problematic because anyone using Partiful could have revealed the location of where a personโs profile photo was snapped. Some Partiful user profile photos contained highly granular location data that could be used to identify the personโs home or work, particularly in rural areas where individual homes are easier to distinguish on a map.
Itโs common practice for companies that host user images and videos to automatically remove metadata upon upload to prevent privacy lapses like this.ย
TechCrunch verified the bug ourselves by uploading a new Partiful profile photo that we had previously captured from outside of the Moscone West Convention Center in San Francisco, which contained the photoโs precise location. When we checked the metadata of the photo stored on Partifulโs server, it still contained the exact coordinates of where the image was taken down to a few feet.
After discovering the security flaw, TechCrunch alerted Partiful co-founders Shreya Murthy and Joy Tao by email, as Partiful does not have a public means for reporting security flaws. TechCrunch shared a link to a Partiful userโs raw profile photo containing that userโs real-world location at the time the photo was taken, a residential address in Manhattan.
Tao told TechCrunch on Friday that the vulnerability was โalready on our teamโs radar, and was recently prioritized as an upcoming fix.โย
Partiful initially provided a timeline to fix the flaw by โnext week,โ but given the sensitivity of the data involved, Partiful fixed the bug by Saturday at TechCrunchโs request.
TechCrunch confirmed Saturday that metadata was removed from existing user-uploaded photos. The profile photo that we uploaded with our real-world location also had the metadata removed.ย
Partiful disclosed the security lapse in a tweet shortly before the publishing of this story.
When asked by TechCrunch if Partiful has the technical means, such as logs, to determine if there was any direct or bulk access to user profile photos stored in its database, Partiful spokesperson Jess Eames said this was โstill under investigation but we have found no evidence of this yet.โ
Eames said the company โregularly perform security reviews with experts in the field, not just as a one-time action but as part of our ongoing processes.โ Partiful did not provide TechCrunch with the name of the experts when asked.
Partiful has raised over $27 million from investors since its founding in 2022, including a $20 million Series A funding round led by Andreessen Horowitz. TechCrunch asked Partifulโs co-founders if they had commissioned a security review of their product before launch, but would not say.
