The Social Event Planning app has firmly replaced Partiful, known as the “Hot People Facebook Events,” as its go-to platform for sending party invitations. However, what has in common with Facebook is that it collects tsunamis of user data, which has helped keep that data safe.
In particular, the host can create online invitations with the biggest retro atmosphere, allowing guests to make RSVP an event, making it easier for them to order salads on the touchscreen. Partiful Teem is user-friendly and trendy, and aims to drive apps to #9 on the iOS App Store lifestyle chart. Google called Partiful the “best app” of 2024.
Now, Partiful has evolved into a powerful social graph like Facebook, mapping all phone numbers, who their friends are, who their friends are, what they are doing, where they go.
As patentability increased, some users became skeptical of the company's origins. A New York City promoter has announced that its founder and some staff are boycotting the special forces as they are former employees of Palantir, a data mining company for Pater Thiel, which produces software to strengthen ICE's master database to suppress the Trump administration's deportation.
Given some of the speculations around the app, TechCrunch set up a new account and tested its patentability. Immediately, we found out that the app has not deleted the location data for images used by users, including public profile photos.
TechCrunch has discovered that it is possible to access raw user profile photos stored in Partiful's backend database hosted on Google Firebase using only the developer tools of the web browser. If a user's photo contained the exact real world location of where it was taken, then everyone else could also see the exact coordinates of where the photo was taken.
Almost every digital file, like a photo taken with a smartphone, contains the file size, metadata that contains information by whom when it was created. For photos and videos, the metadata can include information about the type of camera used and its settings, as well as the exact latitude and longitude coordinates of where the image was captured.
Security flaws are an issue for anyone using Partiful, as it is possible that they have revealed where a person's profile picture was snapped. Some separate user profile photos contain very fine-grained location data that can be used to identify people's homes and workplaces, especially in rural areas where individual homes are easily identified on maps.
This is a common practice for businesses that host users' images and videos to automatically delete metadata when uploaded to prevent this privacy lapse.
TechCrunch confirmed the bug by uploading another new profile photo previously taken from outside the Moscone West Convention Center in San Francisco, which includes the exact location of the photo. When I checked the photo's metadata stored on Partiful's server, it contained the exact coordinates of where the image was deleted up to a few feet.
After discovering the security flaws, TechCrunch emailed Partiful co-founders Shreya Murthy and Joy Tao. TechCrunch shared a link to the user's RAW profile photos like farewell, including the user's actual location when the photo was taken, which is the Manhattan address.
Tao told TechCrunch on Friday that the vulnerability was “already on the team's radar and was recently given priority as a future fix.”
Partiful initially provided a timeline to fix the defect “next week”, but given the sensitivity of the data involved, it fixed the bug by Saturday in response to TechCrunch's request.
TechCrunch confirmed on Saturday that metadata was removed from photos used by existing users. Metadata was also deleted in profile photos uploaded in real-world locations.
Just before the story was published, we revealed the security progress in a tweet.
When asked by TechCrunch if Partiful has technical measures such as logs, when determining whether it has direct or large amounts of access to user profile photos stored in the database, Partiful Spokessers Jess Eames said this was “still under investigation, but no evidence of this has been found yet.”
Eames said the company “runs regular security reviews with experts in this field not only as a one-off action but as part of an ongoing process.” Partiful did not provide TechCrunch with the expert name when asked.
Partiful has raised more than $27 million from investors since its inception in 2022, including a $20 million Series A funding round led by Andreessen Horowitz. TechCrunch asked the Partiful co-founder if they asked for a security review of the product prior to its launch, but there's nothing to say.