The popular Path photo-sharing app is uploading users' entire address books to its servers, a developer has discovered - and Path says it's not a mistake. Hipster's claimed to be doing the same.
Arun Thampi, a developer on the Denso video-sharing application, says he discovered the 'feature' while attempting to write his own OS X version of the app.
"I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new 'Path' and repeated the experiment and I got the same result – my address book was in Path’s hands," he says.
"I’m not insinuating that Path is doing something nefarious with my address book, but I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy."
But Dave Morin, the CEO of Path, has defended the company's actions, saying that he never in his wildest dreams imagined that it could cause such a fuss.
"We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more," he told Thampi. He says that the company will now make it an opt-in feature.
But Chester Wisniewski of Sophos is less than impressed.
"Wow. So we decided it might be handy to have all of your contact info, to, you know, help you connect," he says.
"We then realized we might be in a privacy pickle because we never asked for permission, so we modified the app after the fact to ask you if it is ok, assuming Apple approves it."
Meanwhile, social media app Hipster is doing the same thing, says Wisniewski, citing blogger Mark Chang.
"The Hipster app does provide you with an option when adding friends to deselect the "Contacts" button, but who would imagine selecting contacts meant sending your contacts to Hipster? If I saw that button I'd assume it would allow me to pick from my address book locally," he says.
"Even worse, Hipster not only sends all of your friends' email addresses to their servers unencrypted, but they even send your password in cleartext."
As part of his conversation with Thampi, Moran describes the snaffling of users' address books as 'currently the industry best practice'. Really?