Social media giant Twitter had announced last week that it will be introducing a Tip Jar option to make it easier for creators to earn an extra buck while on the platform, while also allowing other users to express appreciation for their work. While the new feature seems to be really cool, and especially great for creators, like all good things, it too, has a catch. It has been revealed that the feature has a massive security issue, which can put users’ privacy at risk, if they’re not careful.
Tip Jar Can Reveal Your Address
Rachel Tobac, a well-known security researcher, has found that the using the Tip Jar to send some money to fellow Twitter users can lead one’s address to be revealed. This, apart from being completely unnecessary, is also a great privacy concern.
She had shared through her personal Twitter account that such a problem can arise only if the user chooses PayPal as the payment provider while sending money through the Tip Jar. Making payments through PayPal allows the address of the sender to be exposed to the receiver, upon receipt of the tip. She said that she had confirmed the glitch by herself sending money to another use through PayPal.
Fault on PayPal’s End
Twitter product lead Kayvon Beykpour spoke on the issue, saying that the problem is not on their side, but rather on PayPal’s side. He said, “We can’t control the revealing of the address on PayPal’s side but we will add a warning for people giving tips via PayPal so that they are aware of this.”
PayPal also took note of the matter. It said that the problem arises only when users send money through “Goods and Commodity”, and is not witnessed in case some other category, such as “Friends and Family”, is checked. The user’s address is also not revealed if any other payment provider is used in place of PayPal.
Recipients Not Safe Either
The recipient’s side of the deal is also not free from security issues, as the Tip Jar can reveal their email address which is linked to their account. This happens even if they’re not receiving money from anyone.
Twitter had previously said while announcing the product, which is currently in beta, “When you add a third-party payment service to your profile, please note that your username on that service will be publicly linked to your Twitter account. Information about you, including your full name or address and your tip may be shared with the recipient or others, subject to the terms of the third-party payment service. Please review each service’s terms for more details.”
