"Thamp used mitmproxy to analyse what traffic was being created by the app and found that an API call, specifically a POST request to https://api.path.com/3/contacts/add, sends the entire address book, including full names, email addresses and phone numbers, over HTTPS to the Path servers as an unencrypted plist file," The H Security reports.
"In a comment on Thamp's blog post, Path CEO Dave Morin acknowledged the issue and said that the company takes it 'very seriously,'" the article states. "According to Morin, the address book is uploaded to its servers "in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.'"
Go to "Path iOS app uploads address book to its servers" to read the details.
For regular security news updates, follow eSecurityPlanet on Twitter: @eSecurityP.