Path, the social media company that just paid $800,000 in damages for privacy violations to the Federal Trade Commission, has run into another bit of privacy trouble. A security researcher has pointed out a loophole that allows Path to share location data even when a user has turned off location sharing.
Jeffrey Paul, a data security consultant, on Friday published a blog post pointing out a security flaw in Path for iPhone users. If a user posts a photo inside Path and writes a caption, the app can still share the city or other general location where the photo was taken — even if a user has turned off location sharing for Path in the iPhone’s privacy settings.
The Times reports that a quick test confirmed the loophole. Location information is shared through a photo caption if a user has allowed the iPhone camera to tag photos with location information.
In an interview, Paul said that if a user has asked that his location data not be shared through Path, the app should remove the photo’s location information before publishing, so the location is not shared. He says Twitter does this when a user requests that his location not be shared. Paul says he discovered the leak when he posted a photo on Path.
Path did not immediately respond to requests for a comment. However, Dylan Casey, a product manager at Path, posted a comment on Paul’s blog. Saying the company was unaware of the privacy flaw and had issued a new version of the app to Apple that fixes the problem.
