If you’re one of the 2 million users of Path – the personal life-sharing service, you might want to read this.
Singapore based developer and blogger Arun Thampi has discovered that Path’s slick iPhone app uploads your entire address book to its servers while he was trying to hack it to implement a Path Mac OS X app.
Thampi writes an account on how he discovered what appears to be a major privacy issue on his blog:
It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a
POST request to
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.
Path’s CEO and co-founder Dave Morin tried to address the concern raised by Thampi in the comments section, which has now also been updated in the blog post by Thampi.
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
The major concern here is that the entire address book is being uploaded to Path’s servers without informing or taking an authorization from users.
As The Next Web points out that apps that typically use the address book, hash the data and save only the checksum rather than saving the entire data in plain text format on the servers. Morin has said that they would look at implementing the hashing procedure as that’s the industry best practice.
If you’re really spooked by this revelation then you can send a email to email@example.com and request them to delete your address book account from their servers.
We feel that though it was poor decision on Path’s part not to have the opt-in and the hashing procedure in place from the beginning, they have been extremely proactive and honest in dealing with the situation. It’s a young company and we’re sure that this incident will put privacy on the top of their priority list when they decide on which new features should be rolled out next.
It remains to be seen if their users will give them a second chance (third chance in case of users who used their initial version, which did not take off).
[via Arun Thampi's blog]