The Twitter logo on the screen of a smartphone. Next to it is a tweet from Rachel Tobac showing a privacy issue when using PayPal for Twitter's new Tip Jar function.

Tashatuvango/Shutterstock (Licensed) @RachelTobac/Twitter (Fair Use)

Twitter’s Tip Jar can show your home address if you’re not careful, researcher finds

Twitter says it will add a prompt alerting people about apps sharing info.


Andrew Wyrich


Posted on May 7, 2021   Updated on May 7, 2021, 11:56 am CDT

Twitter is rolling out a way to pay fellow users called “Tip Jar,” but some security researchers have found that the new feature could pose some privacy concerns.

The “Tip Jar” feature, which is currently only available for some users to set up, allows someone to set up a button on their Twitter profile that will allow users to send them money through numerous platforms like Bandcamp, Cash App, Patreon, PayPal, and Venmo.

When someone clicks on one of the payment options, it sends them to that app to continue making the transaction. The general idea, according to Twitter, is for people to have an easy way to send each other money instead of “sharing your PayPal link after your tweet goes viral.”

While Twitter announced that it was rolling out “Tip Jar” on Thursday, one security researcher noticed that people may be unintentionally giving out their private information to whoever they are deciding to tip on Twitter.

Rachel Tobac, the CEO of SocialProof Security, noticed that if someone uses PayPal to tip someone on Twitter, your personal address was readily viewable to whoever received the tip. Tobac tested the feature with prolific Twitter user Yashar Ali.

“Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him,” Tobac tweeted on Thursday.

As Tobac noted, the visible address was a PayPal feature, not Twitter’s. However, she stressed that Twitter should alert users who are tipping that their address could be visible.

If you tip a Twitter user you know well, them seeing your home address might not be that much of a concern, but if you see a viral tweet from a stranger and want to send them money, it obviously could become a privacy concern.

Soon enough, Twitter’s product lead Kayvon Beykpour replied to Tobac, calling it a “good catch” and saying that they would add a warning for Twitter users who use PayPal to tip users.

“This is a good catch, thank you. we can’t control the revealing of the address on Paypal’s side but we will add a warning for people giving tips via Paypal so that they are aware of this,” Beykpour tweeted.

Twitter’s Support account also reiterated that it would be updating the prompt users see before tipping to “make it clearer that other apps may share info between people sending/receiving tips, per their terms.”

PayPal told Gizmodo that the address being visible only occurs when someone chooses the “Goods and Services” option. People can toggle it to a “Friends and Family” option that doesn’t share their address. The company spokesperson told the news outlet they would work with Twitter to make sure users were aware of this.

Read more of the Daily Dot’s tech and politics coverage

Nevada’s GOP secretary of state candidate follows QAnon, neo-Nazi accounts on Gab, Telegram
Court filing in Bored Apes lawsuit revives claims founders built NFT empire on Nazi ideology
EXCLUSIVE: ‘Say hi to the Donald for us’: Florida police briefed armed right-wing group before they went to Jan. 6 protest
Inside the Proud Boys’ ties to ghost gun sales
‘Judas’: Gab users are furious its founder handed over data to the FBI without a subpoena
EXCLUSIVE: Anti-vax dating site that let people advertise ‘mRNA FREE’ semen left all its user data exposed
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
Share this article
*First Published: May 7, 2021, 10:17 am CDT