14 DAY TRIAL // Twitter recently introduced a new feature that allows users to tip one another. This feature, dubbed ‘Tip Jar,' allows users to submit a tip to each others, including journalists, security professionals, developers, and others. However, Twitter users' privacy is jeopardized by this exciting new Tip Jar feature.
Tip Jar is the newest addition to Twitter. The new feature allows you to submit tips to other Twitter users directly through PayPal.
According to their blog post, the feature allows users to tip someone they admire. On a user's Twitter profile, the Tip Jar icon will appear next to the "Follow" button. By clicking this icon, the other user can select an appropriate payment service to submit money.
Twitter currently allows support for PayPal, Venmo, Patreon, Bandcamp, and Cash App for this feature. Android users, on the other hand, have an additional option: Spaces.
Twitter also clarifies that no deductions would be made because of these transactions.
The functionality is currently only available to a small number of Twitter users in English around the world. Twitter, on the other hand, promises to expand its service to more languages in the near future.
What about the risk to users' privacy?
Getting a simple choice like Tip Jar appears to be much more convenient for sending fast tips to favorites. However, since the practice reveals senders' PayPal addresses to recipients, it poses a privacy danger.
As Rachel Tobac of SocialProof Security highlighted in a tweet, if a user sends another a tip via PayPal, the receiver can find out the sender's address by opening the receipt from the tip received.
Shortly after, it was discovered that the privacy breach occurs at PayPal's end rather than Twitter's. Then again, since Twitter incorporated PayPal as a Tip Jar option, the issue directly affects its users' privacy.
Take note that users can opt to keep their address hidden during transactions by selecting the No address needed under Shipment Address form field before submitting the payment.
After the details became public, Twitter confirmed the vulnerability was present in the Tip Jar prompt and Help Center. It is still uncertain if PayPal and/or Twitter are able to resolve this matter.