Privacy flaw in Path’s iPhone app

Brian X. Chen:

Jeffrey Paul, a data security consultant, on Friday published a blog post pointing out a security flaw in Path for iPhone users. If a user posts a photo inside Path and writes a caption, the app can still share the city or other general location where the photo was taken — even if a user has turned off location sharing for Path in the iPhone’s privacy settings.

Oopsie.



  • http://www.johncblandii.com John C. Bland II

    Man, is this on Apple or Path? It seems Apple should block it at the camera level; maybe Path assumed this during dev.

    Isn’t Path the app behind Contact Gate and aren’t they paying 800k for that?

    Should Apple be under fire for allowing these sort of gaffs?

    (curious in the discussion)

    • Steven Fisher

      It’s Apple’s fault to a greater degree than you suggest.

      From reading the description, this is not Path going out of their way to get location data. This is Apple including it in the image without Path requesting it.

      Path will have to be changed to strip the EXIF data out.

      This was sloppy on Apple’s part. Maybe EXIF data should be protected by a gate like contact information is, maybe not. It probably should. But even without that, Apple shouldn’t be including it in images without being asked by the app at least.

      • http://www.johncblandii.com John C. Bland II

        I’m 100% with you on that front; asked it that way to ignore a flame war. ;-)

        The problem I see is developers will be blamed now instead of Apple, who is at fault.

  • http://twitter.com/kevinbehringer Kevin Behringer

    Can Path do anything without causing some sort of security glitch?

  • JasonDiaz

    54 days I warned them about the EXIF. https://twitter.com/Jason_diaz/status/277558392422277120

  • http://twitter.com/cutterpillow Dave Thorup

    Alright, this is getting utterly ridiculous. I have news for everyone, any app that has ever allowed you to pick a photo from the camera roll probably suffers from this “privacy flaw”. So why does anyone give a damn?

    Here’s how it works, you, the user took a picture with Apple’s Camera app and you allowed that app to embed GPS data because you granted it permission to record you location. So you, the user are solely responsible for having put GPS data into your photo. You then use another application – Path, Flickr, Camera+, Camera Awesome, Snapseed, etc. – to import that photo from the camera roll. That photo still contains GPS information just as it always did because you wanted it there when you took it. So when that app posts the photo online it will still contain the GPS information. You enabled GPS to be embedded when you took the picture and you explicitly granted the app access to that GPS data by importing the photo into the app. End of story. And now, suddenly, that’s a privacy outrage. Cry me a river.

    If an app imports a photo with GPS data in the EXIF then it should export the photo with that data. I wouldn’t use an app that didn’t as I want to remember where I took my photos. What’s next, are we going to demand that developers strip the EXIF from photos? We can’t include the lens data in the EXIF because it’s revealing too much about the camera – that’s a privacy violation! Can’t include the camera model in the EXIF – someone might know that you took the photo with an iPhone – privacy violation! Date & time information? No, strip that too, someone might use it to track you – privacy violation!

    It’s ridiculous and moronic. Where does it end? Pretty soon every damn thing you want to do with your iPhone will require authorization. This is why we can’t have nice things.

    If you don’t want GPS data embedded in your photos THEN DON’T GIVE THE CAMERA PERMISSION TO USE LOCATION SERVICES! It’s as simple as that. And leave the rest of us alone.