Event startup Partiful wasn’t stripping GPS locations from user-uploaded photos

Partiful, the social event planning application often dubbed as 'Facebook events for hot people,' has quickly gained popularity as a preferred platform for sending out party invitations, even overtaking Facebook in this space. However, alongside its rise has come scrutiny regarding the handling of user data. The app, which allows hosts to create vibrant online invitations and streamlines the RSVP process, recently faced criticism for not adequately securing user-uploaded images. Users have raised concerns about the potential risks associated with the app's data collection practices, particularly given its founders’ ties to Palantir, a company known for its data analytics services linked to controversial government initiatives. In a recent investigation, TechCrunch discovered that Partiful was not stripping GPS location data from user-uploaded photos, including profile images. Using standard web developer tools, it was revealed that anyone could access raw photos stored in Partiful’s backend database on Google Firebase. This oversight meant that if a photo included location data, others could potentially determine the exact coordinates where it was taken. Metadata embedded in digital files, such as photos, often includes sensitive information like creation time and geographic coordinates. The implications of this security flaw are significant, particularly for users in rural areas where specific locations can be easily identified on a map. Typically, companies hosting such images take preventive measures to remove this metadata upon upload to protect user privacy. To test the vulnerability, TechCrunch uploaded a profile picture containing its precise location from outside the Moscone West Convention Center in San Francisco. Upon checking, the metadata was still intact, revealing the exact location of the photo. Following this discovery, TechCrunch reached out to Partiful's co-founders, Shreya Murthy and Joy Tao, via email, as the platform lacks a public method for reporting security issues. In response, Tao indicated that the issue was already on their radar and had been prioritized for a fix. Initially, the company projected a timeline for resolution by the following week; however, due to the sensitive nature of the data, the bug was addressed by Saturday at TechCrunch’s request. Post-fix, TechCrunch confirmed that the metadata had been effectively removed from all existing user-uploaded images. Partiful also publicly acknowledged the security lapse on Twitter just before this article was published. When questioned about the possibility of unauthorized access to user photos, a Partiful spokesperson stated that this is still under investigation, but no evidence has been found yet. Partiful has secured over $27 million in funding since its inception in 2022, including a $20 million Series A round led by Andreessen Horowitz. Despite the ongoing concerns, the startup continues to evolve its platform and aims to enhance its security measures moving forward.