Twitter has recently launched a new feature that will help users tip each other. Dubbed ‘Tip Jar’, this feature will allow users to send a tip to others, such as journalists, security professionals, creators, and more. However, this exciting new Tip Jar feature also has a privacy issue for Twitter users.
About Twitter’s Tip Jar Feature
Twitter has recently introduced the ‘Tip Jar’ features for the users. Through this feature, users can send tips to other Twitter users directly via PayPal.
As elaborated in their blog post, this new feature will let the users tip someone they would appreciate. The Tip Jar icon will appear next to the ‘Follow’ button on a user’s Twitter profile. Clicking on this icon will let the other user choose an appropriate payment service to send the money.
Currently, for this feature, Twitter has enabled support for PayPal, Venmo, Patreon, Bandcamp, and Cash App. Whereas, Android users will get one more option – Spaces.
Twitter has elaborated that they would make no deductions through these transactions.
Presently, this feature is only available to a few Twitter in English users globally. Though, Twitter has pledged for service expansion in more languages soon.
What’s The Risk?
Although, having an option as simple as Tip Jar looks much more convenient for sending quick tips to favorites. However, it has a potential privacy risk too as the procedure exposes senders’ PayPal addresses to the recipients.
Here’s what Rachel Tobac of SocialProof Security highlighted in a tweet.
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://t.co/R4NvaXRdlZ pic.twitter.com/r8UyJpNCxu
— Rachel Tobac (@RachelTobac) May 6, 2021
Shortly, it turned out that the privacy leak basically happens at PayPal’s end instead of Twitter. But, since Twitter has integrated PayPal to support Tip Jar, the matter now impacts the privacy of Twitter users.
However, as highlighted further, users can choose to hide their addresses during transactions.
But you asked them to… if you tell them it need to be shipped, they will share an address. Don’t ask Paypal that you need an item to be shipped (choose: no address needed) – Used @yashar also as a test :) pic.twitter.com/5tYoDbgAZA
— Anashel (@anashel) May 7, 2021
Yet, another problem has also raised questions on the safety of the Tip Jar feature from potential abuse. Yet again, the issue mainly exists because of PayPal.
Yup. There's even a "method" for screwing with people using the mandatory $20 chargeback. Give someone 5 fraudulent donations and you've just hit them with $100 in chargeback fees once those donations are reversed. One of many ways Paypal is kinda broken.
— briankrebs (@briankrebs) May 6, 2021
After these things surfaced online, Twitter confirmed to clearly mention this exposure of information in the Tip Jar prompt and Help Center. It’s presently unclear if PayPal and/or Twitter would resolve this matter for good or not.