A new privacy flaw discovered in Path means it will geotag your posts on the social network even when you’ve explicitly disabled Location Services for the app. It does this by pulling the embedded EXIF tag location information from photos, which contain GPS coordinates, from any images you’ve attached in the iOS Camera Roll. After we notified Path of the discovery, the company says it has patched its app and a new version should be available as soon as Apple approves it in the App Store.
We were first alerted of this issue via a blog post by security researcher and hacker Jeffrey Paul late on Thursday night, and immediately contacted Path. A spokesperson responded this morning that the company was looking into the issue, and then this afternoon Dylan Casey, Path’s Product Manager, posted a comment on Paul’s blog.
The comment was also emailed to us. After thanking Jeffery, Casey stated the following:
We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.
The third point is worth noting, as Jeffrey asked readers of his blog: “Should Apple’s iOS allow applications for which Location Services are explicitly disabled to access location information embedded (by the iOS Camera app) in photos stored in the Camera Roll (when access to photos is granted)? I think the answer here is very clearly no.”
Last year, Path admitted to collecting and storing personal information from the iOS address book even if the user didn’t give it permission to, and quickly released an update the next day, but not before being hit with a massive backlash. After all that, Apple changed its policies so that apps require explicit user permission to access Address Book data.
Jeffrey is calling for the same thing when it comes to EXIF location tags in photos:
If you disable location services for an app, for example, a photo-sharing app or social network, yet take a photo every day (using the Camera app) and then later use that same application (which you have not granted access to your position) to upload that photo, the OS should prohibit the application from detecting your location via the EXIF information in that photo. Otherwise, the app will still have your location on a regular basis, despite the clear opposite intent being expressed by the user (through the disabling of location services for that particular app). This seems pretty clear to me.
Jeffrey has alerted Apple, and now it seems Path has done the same thing. That’s quite a way to show it cares; after all, the company today settled with the FTC for $800,000 and likely wants to avoid anything similar from happening again.
Image credit: Henry Phan