Twitter is rolling out a way to pay fellow users called “Tip Jar,” but some security researchers have found that the new feature could pose some privacy concerns.
The “Tip Jar” feature, which is currently only available for some users to set up, allows someone to set up a button on their Twitter profile that will allow users to send them money through numerous platforms like Bandcamp, Cash App, Patreon, PayPal, and Venmo.
When someone clicks on one of the payment options, it sends them to that app to continue making the transaction. The general idea, according to Twitter, is for people to have an easy way to send each other money instead of “sharing your PayPal link after your tweet goes viral.”
While Twitter announced that it was rolling out “Tip Jar” on Thursday, one security researcher noticed that people may be unintentionally giving out their private information to whoever they are deciding to tip on Twitter.
Rachel Tobac, the CEO of SocialProof Security, noticed that if someone uses PayPal to tip someone on Twitter, your personal address was readily viewable to whoever received the tip. Tobac tested the feature with prolific Twitter user Yashar Ali.
“Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him,” Tobac tweeted on Thursday.
As Tobac noted, the visible address was a PayPal feature, not Twitter’s. However, she stressed that Twitter should alert users who are tipping that their address could be visible.
If you tip a Twitter user you know well, them seeing your home address might not be that much of a concern, but if you see a viral tweet from a stranger and want to send them money, it obviously could become a privacy concern.
Soon enough, Twitter’s product lead Kayvon Beykpour replied to Tobac, calling it a “good catch” and saying that they would add a warning for Twitter users who use PayPal to tip users.
“This is a good catch, thank you. we can’t control the revealing of the address on Paypal’s side but we will add a warning for people giving tips via Paypal so that they are aware of this,” Beykpour tweeted.
Twitter’s Support account also reiterated that it would be updating the prompt users see before tipping to “make it clearer that other apps may share info between people sending/receiving tips, per their terms.”
PayPal told Gizmodo that the address being visible only occurs when someone chooses the “Goods and Services” option. People can toggle it to a “Friends and Family” option that doesn’t share their address. The company spokesperson told the news outlet they would work with Twitter to make sure users were aware of this.