Path and Hipster apps found swiping users’ address books

“The popular Path photo-sharing app is uploading users’ entire address books to its servers, a developer has discovered – and Path says it’s not a mistake,” Emma Woollacott reports for TG Daily. “Hipster’s claimed to be doing the same.”

“Arun Thampi, a developer on the Denso video-sharing application, says he discovered the ‘feature’ while attempting to write his own OS X version of the app,” Woollacott reports. “Dave Morin, the CEO of Path, has defended the company’s actions, saying that he never in his wildest dreams imagined that it could cause such a fuss. ‘We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more,’ he told Thampi. He says that the company will now make it an opt-in feature.”

Woollacott reports, “Meanwhile, social media app Hipster is doing the same thing…”

Read more in the full article here.

Mark Chang blogs, “The Hipster app, in an unsecured HTTP GET request, sends a big chunk of your iPhone address book in the form of an email param that includes a comma-separated list of email addresses.”

This is offensive for a few reasons:
1. Hipster never asked me for permission to send my address book emails to them.
2. Hipster does not say anything (AFAIK) about if they are storing those emails or what.
3. The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.

Much more in the full article here.

Hipster CEO Doug Ludlow writes in a guest post at TechCrunch, “We blew it, we’re sorry, and we’re going to make it right.”

“Mark’s criticisms were spot on, and needless to say we’re pretty embarrassed by the situation,” Ludlow writes. “Embarrassed not because we had malicious goals in mind (we don’t store the contact data we pull – we just match it to existing users), but embarrassed by the fact that we pushed a feature that doesn’t meet our standards for the protection of our user’s data.”

Ludlow writes, “How are we working to remedy the situation? In an update that will be available through iTunes this week, we’ve changed the way our ‘Find Friends’ feature works on iOS. Rather than automatically pull in a user’s contacts to help them find people already on Hipster, we’re making this feature opt-in, and users will have to confirm that they want to grant access to their address book. In addition, this data will now be transferred through a SLL connection.”

Read more in the full article here.

Nathan Olivarez-Giles reports for The Los Angeles Times, “In a little over a day, the social networking app Path has gone from facing a wave of criticism to riding a swell of praise over how it handles its users’ private data — more specifically, address books uploaded from Apple iPhones to Path servers.”

“On Wednesday, Path’s chief executive and co-founder issued an apology on the San Francisco start-up’s blog and the company quickly deleted the collected user data and updated its iOS app, all while promising more transparency in how it collects and uses information from its users,” Olivarez-Giles reports. “‘We believe you should have control when it comes to sharing your personal information,’ Morin said in the blog post. ‘We also believe that actions speak louder than words. So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path. In Path 2.0.6, released to the App Store today, you are prompted to opt in or out of sharing your phone’s contacts with our servers in order to find your friends and family on Path.'”

“After Path’s quick update of its iOS app on Wednesday, many applauded the social network, which markets itself as a more privacy-focused alternative to publicly minded networks, such as Facebook and Twitter,” Olivarez-Giles reports. “Brad McCarty, the managing editor of the Next Web, said on Twitter that Path’s response was a ‘class move.’ Tech pundit John Gruber said Morin’s apology and the app update were the ‘perfect response.'”

Read more in the full article here.

12 Comments

  1. They’re full of shit. He’s lying. It was not an accidental oversight. They do what they want to do until caught. Even on an iPhone through the App Store. Then they apologize because it was a “mistake”! They all do something malicious but most do not get caught. Trust no one.

    1. From the second paragraph above:

      “‘Arun Thampi, a developer on the Denso video-sharing application, says he discovered the ‘feature’ while attempting to write his own OS X version of the app,’ Woollacott reports.”

    1. Apple can’t arbitrarily fine them unless their developer’s agreement says otherwise, which it does not.

      Apple reserves the right to discontinue offering their product, but they can’t charge them for it!

  2. This is bad but there is a deeper problem – Apple is not requiring explicit user authorization before permitting apps to access the address book – this is a major security lapse – a very bad, very old bug that Apple needs to fix fast.  

    Even Android requires this.  And this is not new, altho it is new to hitting the fan in a big way.

    Address book should be treated just like GPS location – sensitive user data protected by default

    App vendors have been apologizing and “apologizing” for this for years – since at least December 2009:

    http://techcrunch.com/2009/12/16/nuance-updates-dragon-dictation-app-to-let-you-keep-your-contacts-secret/

    More at:

    http://www.zdnet.com/blog/apple/apple-doesnt-enforce-its-own-address-book-policy/12211

     More technical:

    http://blog.mugunthkumar.com/articles/some-thoughts-on-ios-and-your-privacy-address-book/

  3. I wonder how many people have things like Credit Card info and passwords for email, forums, etc.. stored in the Notes field in their address book… Hmm, I better make sure I don’t…

  4. I’ll admit it, I do save partial passwords and usernames in the notes field of my address book so this is a rude awakening.

    I haven’t seen anything on the web yet that explicitly addresses whether or not apps can access the notes field. Anyone?

    Clearly, regardless of answer, a switch to something like 1Password is now appropriate… unless they’re also copy your data. (making them a lucrative future hacking target…? )

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.