Twitter has become a platform that people often use so their voices can be heard, be it for bringing social issues to the attention of others or calling for donations or support for people in need. Twitter recently introduced Tip Jar, a new feature that allows users to send and receive tips.
It’s still undergoing some tests though, so the feature isn’t available to everyone yet. As of now Tip Jar is only available for those who use Twitter in English, but the creators are working to make it accessible to more people. Eventually, it will also be made available to more languages. Those in the initial testing group include creators, journalists, experts, and non-profit organizations.
Looks like the admins of Twitter took notice of people plugging in their PayPal and Venmo links under their viral threads.
— char | 理恵 / 13 (@alterego) May 6, 2021
While this new feature was introduced to make it easier to support others on Twitter, there’s something important that the developers have overlooked. Some Twitter users have already tried out Tip Jar to see how it works, and some have found that there’s an issue with this new feature in terms of privacy.
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://t.co/R4NvaXRdlZ pic.twitter.com/r8UyJpNCxu
— Rachel Tobac (@RachelTobac) May 6, 2021
Rachel Tobac, a security researcher, tested out Tip Jar by sending a tip to someone through PayPal and found out that her recipient — aside from getting her tip — also received Tobac’s home address.
Buried in @Twitter’s “Tip Jar FAQ”:
“Info about you, incl your full name or addr and your tip may be shared with the recipient or others”
— ashkan soltani (@ashk4n) May 7, 2021
Another problem was found by former Federal Trade Commission chief technologist Ashkan Soltani. Soltani found out that if you send a tip via PayPal, it’s possible to see a user’s email address, even if you don’t make a transaction. Turns out that if you don’t have a username on PayPal, by default it shows your email address instead.
Twitter’s help page discussing Tip Jar warns that since the payment services are third parties, your tip will be processed through these external sites so your transactions are subject to different terms and services depending on which payment service you choose.
The page also warns that your info – like your full name and your home address – may be seen by the tip recipient. However, Twitter should still do something more effective so that users will be adequately informed and warned about this security problem.
Product Lead Kayvan Beykpour has spoken up regarding the issue with using PayPal on Tip Jar and said that Twitter has no control over PayPal revealing people’s addresses, but they will add a warning for users who will send tips through this particular payment service.
Tip Jar could be a very useful and more convenient way to show support for Twitter users, but the developers should do something about the privacy issue first.
Other POP! stories you might like: