The social event planning app Partiful, which describes itself as Facebook events for hot people, has become the primary platform for sending party invitations, effectively replacing Facebook. However, Partiful shares another significant trait with Facebook: it collects a vast amount of user data, and it could have done a better job securing that information.
On Partiful, hosts create online invitations with a retro, maximalist style. Guests can RSVP to events with the simplicity of ordering a salad on a touch-screen. The app’s user-friendly and trendy design has propelled it to number nine on the iOS App Store’s Lifestyle charts. Google even named Partiful the best app of 2024. The platform has now evolved into a powerful social graph similar to Facebook, easily mapping out who your friends are, who your friends’ friends are, what you do, where you go, and collecting all of your phone numbers.
As Partiful’s popularity grew, some users became skeptical of the company’s background. A New York City promoter announced a boycott of Partiful because its founders and some staff are former employees of Palantir. Palantir is Peter Thiel’s data mining company, which produces software that powers the master database for ICE, used in the Trump administration’s deportation crackdown.
In light of this speculation, TechCrunch created a new account to test Partiful. The investigation found that the app was not removing location data from user-uploaded images, including public profile photos. TechCrunch discovered that anyone could use the developer tools in a web browser to access raw user profile photos stored in Partiful’s backend database on Google Firebase. If a user’s photo contained the precise real-world location where it was taken, anyone else could view those exact coordinates.
Almost all digital files, like smartphone pictures, contain metadata. This metadata includes information such as file size, creation date, and author. For photos and videos, metadata can also include details about the camera used and the precise latitude and longitude coordinates where the image was captured.
This security flaw was problematic because any Partiful user could have revealed the location where a person’s profile photo was taken. Some profile photos contained highly granular location data that could be used to identify a person’s home or workplace, particularly in rural areas where individual homes are easier to distinguish on a map. It is standard practice for companies hosting user images to automatically remove metadata upon upload to prevent such privacy lapses.
TechCrunch verified the bug by uploading a new profile photo taken outside the Moscone West Convention Center in San Francisco, which contained the photo’s precise location. When they checked the metadata of the photo stored on Partiful’s server, it still contained the exact coordinates of where the image was taken, accurate to within a few feet.
After discovering the security flaw, TechCrunch alerted Partiful co-founders Shreya Murthy and Joy Tao by email, as the app lacks a public method for reporting security issues. TechCrunch provided a link to a Partiful user’s raw profile photo that contained a real-world location, which was a residential address in Manhattan.
Tao stated that the vulnerability was already on the team’s radar and had been prioritized for an upcoming fix. Partiful initially provided a timeline to fix the flaw by the following week, but given the sensitivity of the data, the company fixed the bug by Saturday at TechCrunch’s request. TechCrunch confirmed that metadata was removed from existing user-uploaded photos, including their test photo. Partiful later disclosed the security lapse in a tweet just before this story was published.
When asked if Partiful has the technical means to determine if there was any direct or bulk access to user profile photos stored in its database, Partiful spokesperson Jess Eames said that was still under investigation but they had found no evidence of it yet. Eames stated the company regularly performs security reviews with experts as part of its ongoing processes, but Partiful did not provide the names of these experts when asked.
Partiful has raised over 27 million dollars from investors since its founding in 2022, including a 20 million dollar Series A funding round led by Andreessen Horowitz. TechCrunch asked Partiful’s co-founders if they had commissioned a security review of their product before launch, but the company would not say.