If you haven’t already downloaded the newest version of social network app Path, you should wait a little longer. While attempting to port Path 2 (as it’s called) to OS X, developer Arun Thampi discovered that the app automatically uploads users’ entire address book to Path’s servers. Fortunately, the company assures users taht a fix is on the way.
“Using the awesome mitmproxy tool which was featured on the front page of the Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app,” writes Thampi in a post on his awesomely-named blog, McLov.in. “It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add. Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path.” (Emphasis his)
Dave Morin, co-founder and CEO of Path, quickly responded to Thampi’s discovery, in a comment on the blog damning blog post. He writes: “We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.
“We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.”
While the response from Morin is all well and good — better than how most companies respond to such crises — a few problems remain. First, it should be noted that many apps upload user contacts. But that data is usually not stored as a text file, as it appears to have been stored on Path’s servers, which is much more vulnerable. Second, it’s unclear why Path didn’t make it explicit to iOS users that it would be accessing all address book data, as is the case with the Android version.
Users who are not content with Path’s fix can delete their account by contacting the company at: firstname.lastname@example.org.