Summary:
Partiful failed to remove GPS metadata from user-uploaded photos, exposing exact locations where photos were taken
Anyone could access precise latitude and longitude coordinates using basic web browser tools
The security flaw could reveal users' homes or workplaces, creating serious privacy risks
Partiful fixed the vulnerability within 24 hours after TechCrunch exposed the issue
The company has raised over $27 million from investors including Andreessen Horowitz
Partiful's founders include former Palantir employees, raising concerns about data practices
The Security Flaw That Put Users at Risk
Social event planning app Partiful, which proudly calls itself "Facebook events for hot people," has become the dominant platform for party invitations, effectively replacing Facebook in this space. However, Partiful shares more with Facebook than just social functionality—it's amassing vast amounts of user data, and recent findings reveal it failed to adequately protect that data.
Partiful's Meteoric Rise
Partiful allows hosts to create visually striking, retro-style online invitations where guests can RSVP as easily as ordering food on a touchscreen. This user-friendly, trendy approach has propelled the app to #9 on the iOS App Store's Lifestyle charts and earned it Google's recognition as the "best app" of 2024.
The Palantir Connection
As Partiful's popularity grew, scrutiny intensified around the company's origins. Some users began boycotting the platform after discovering that Partiful's founders and several staff members are former employees of Palantir, Peter Thiel's controversial data mining company. Palantir's software powers ICE's master database used in deportation operations, raising concerns about Partiful's data handling practices.
The Critical Security Vulnerability
TechCrunch's investigation revealed that Partiful was not stripping GPS location data from user-uploaded photos, including public profile pictures. Using only standard web browser developer tools, anyone could access raw user photos stored in Partiful's Google Firebase database and extract precise latitude and longitude coordinates where those photos were taken.
Why This Matters
Digital photos contain metadata—hidden information about when and where a photo was captured, including exact GPS coordinates. While most companies automatically remove this metadata to protect user privacy, Partiful failed to implement this basic security measure. Some user profile photos contained location data accurate enough to identify specific homes or workplaces, particularly in rural areas where individual properties are easily distinguishable.
TechCrunch's Verification
To confirm the vulnerability, TechCrunch uploaded a test profile photo taken outside San Francisco's Moscone West Convention Center. When retrieved from Partiful's servers, the photo still contained the exact coordinates of where it was captured—accurate to within a few feet.
The Response and Fix
After TechCrunch alerted Partiful's co-founders, the company acknowledged the vulnerability was "already on our team's radar" and initially planned to fix it "next week." Given the sensitivity of exposed location data, TechCrunch requested immediate action, and Partiful confirmed the bug was fixed within 24 hours. Subsequent checks confirmed metadata had been removed from all existing user-uploaded photos.
Ongoing Investigations
When asked if Partiful could determine whether anyone had accessed user photos to extract location data, the company stated this was "still under investigation" but had found "no evidence of this yet." Partiful claims to perform regular security reviews with external experts but declined to name these experts when pressed.
Funding and Security Oversight
Partiful has raised over $27 million from investors since 2022, including a $20 million Series A round led by Andreessen Horowitz. When questioned whether the company conducted security reviews before launch, Partiful's founders declined to comment.
Comments