After a researcher discovered that any person who decides to download the Path app onto their mobile device is unknowingly sending their address book to a server belonging to the social network and photo-sharing service without prior notification, the company has released a new version of the app that asks people to opt in to that behavior.
In a blog post on his website, Android and iOS developer Arun Thampi claims he was attempting to create an OS X app for Path as part of a hackathon. While running the app through an SSL-capable man-in-the-middle http proxy, he noticed a strange post request: https://api.path.com/3/contacts/add. A more thorough examination of that post request revealed that Thampi was unwittingly sending the names, addresses, and phone numbers of all of his contacts as a property list to Path.
Path did not immediately respond to a request from comment from Threatpost, but Path CEO Dave Morin, told Thampi that his company uploads client address books to help users find and connect with friends and family, encouraging new users to join, and nothing more.
“This type of friend finding and matching is important to the industry,” Morin goes on, defending the practice, “…it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.”
Path has since released a new version of the app for iOS that prompts user to either opt in or out of the contact-sharing behavior. In a blog post, Morin apologized for the company’s actions.
“We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts,” Morin wrote. “Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong. We are deeply sorry if you were uncomfortable with how our application used your phone contacts.”
You can find a detailed analysis of Thampi’s research on his site here.