Partiful, a social event planning app that brands itself as “Facebook events for hot people,” has quickly taken over as the preferred way to send out party invites, replacing Facebook. However, like Facebook, Partiful is amassing a vast amount of user data, and its efforts to protect that information have not been flawless.
On Partiful, event organizers can design digital invitations with a nostalgic, bold style, making it as simple for guests to RSVP as it is to order food on a touchscreen. The app’s focus on being both stylish and easy to use has helped it climb to #9 in the iOS App Store’s Lifestyle category. Google even named Partiful the “best app” of 2024.
Today, Partiful functions as a robust social network similar to Facebook, easily charting your friendships, your friends’ connections, your activities, locations, and even your phone numbers.
As the app’s popularity soared, some users began to question its background. A promoter in New York City announced a boycott of Partiful, citing that its founders and some employees previously worked at Palantir, Peter Thiel’s data analytics company, which developed the software used by ICE for the Trump administration’s deportation efforts.
Amid these concerns, TechCrunch created a new account to test Partiful. It quickly became apparent that the app was not removing location data from images uploaded by users, including those used for public profiles.
TechCrunch discovered that anyone with access to a web browser’s developer tools could retrieve unprocessed user profile images from Partiful’s backend, which is hosted on Google Firebase. If a photo included exact GPS data, others could view the precise spot where the image was taken.
Most digital files, such as smartphone photos, carry metadata that details information like file size, creation date, and author. For photos and videos, this metadata can also reveal the camera type, its settings, and the exact latitude and longitude where the image was shot.
This security issue is concerning because anyone using Partiful might have unintentionally exposed the location where their profile photo was taken. Some users’ profile pictures included detailed location information that could pinpoint a home or workplace, especially in less populated areas where individual buildings are easier to identify on a map.
It is standard for platforms hosting user photos and videos to automatically strip metadata upon upload to prevent such privacy breaches.
TechCrunch confirmed the vulnerability by uploading a profile photo to Partiful that had been taken outside San Francisco’s Moscone West Convention Center, complete with embedded location data. Upon checking the image stored on Partiful’s servers, the metadata—including the exact coordinates—remained intact.
After identifying the vulnerability, TechCrunch contacted Partiful co-founders Shreya Murthy and Joy Tao via email, since there is no public channel for reporting security issues. TechCrunch provided a link to a user’s raw profile photo that revealed the user’s real-world location at the time it was taken, which was a residential address in Manhattan.
Tao informed TechCrunch on Friday that their team was already aware of the issue and had recently made it a priority to address it.
Partiful initially said the bug would be fixed by “next week,” but due to the sensitive nature of the data, the company resolved the issue by Saturday at TechCrunch’s request.
On Saturday, TechCrunch confirmed that metadata had been stripped from all user-uploaded photos, including the test image with location data.
Shortly before this article was published, Partiful publicly acknowledged the security issue in a tweet.
When TechCrunch asked whether Partiful had the technical capability—such as logs—to determine if anyone had accessed user profile photos in bulk or individually, spokesperson Jess Eames replied that the matter was “still under investigation but we have found no evidence of this yet.”
Eames added that the company “regularly perform security reviews with experts in the field, not just as a one-time action but as part of our ongoing processes.” When asked, Partiful did not disclose the names of these experts to TechCrunch.
Since its launch in 2022, Partiful has secured over $27 million in funding, including a $20 million Series A round led by Andreessen Horowitz. When asked if a security audit had been conducted before the product’s release, the co-founders declined to answer.
