Privacy Flaw Found in Path for iOS

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Software developer Arun Thamp recently discovered that the Path photo sharing and messaging app for iOS automatically uploads a user's entire address book without first requesting permission.

"Thamp used mitmproxy to analyse what traffic was being created by the app and found that an API call, specifically a POST request to https://api.path.com/3/contacts/add, sends the entire address book, including full names, email addresses and phone numbers, over HTTPS to the Path servers as an unencrypted plist file," The H Security reports.

"In a comment on Thamp's blog post, Path CEO Dave Morin acknowledged the issue and said that the company takes it 'very seriously,'" the article states. "According to Morin, the address book is uploaded to its servers "in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.'"

Go to "Path iOS app uploads address book to its servers" to read the details.

For regular security news updates, follow eSecurityPlanet on Twitter: @eSecurityP.