Hacker | CEO @SocialProofSec social engineering/hacking talks, training, pentests | 3X @DEFCON
| Chair @WISPorg | Technical Advisory Council @CISAgov | She/her
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://twitter.com/TwitterSupport/status/1390396738788339722 …pic.twitter.com/r8UyJpNCxu
Above you can see the receipt @yashar sent me when I did this test with him. Be careful using PayPal Twitter Tip Jar — this is a hallmark of PayPal rather than Twitter of course but it impacts Twitter users who may not know that their address is leaked by PayPal to tip receivers.
This is EXACTLY what I was concerned to test when Twitter announced Tip Jar. PayPal needs to make it crystal clear which data is given to money receivers and stop sharing that data, & Twitter needs to educate users who don’t realize what info tip receivers get when using PayPal.https://twitter.com/RachelTobac/status/1385398131924209665 …
Thank you @yashar for letting me test with you to ensure I can educate folks on how PayPal leaks address data to tip receivers and so we can keep people safe 
Thank you @Twitter @kayvz for paying attention, welcoming security researcher’s feedback, and taking responsibility to take steps to warn and protect your users within an hour of me releasing these findings (even though you don’t control PayPal’s address leaking flow).https://twitter.com/RachelTobac/status/1390424864469651460 …
Yes, this is a PayPal issue (leaks address w/ PayPal payments off of Twitter too). Twitter integrated PayPal into their tip feature so it's now Twitter's responsibility to inform users about how using PayPal w/ Twitter Tip Jar impacts privacy as many Twitter users aren't aware.
This is a great opportunity for orgs to start a conversation on privacy implications of features they build & tools they integrate into their platform. When an org integrates a tool that could affect user's privacy & users might not understand privacy risk, orgs should educate.
Thank you for taking action today Twitter. You didn’t create the PayPal address leak issue but you’re taking responsibility for your user’s privacy with your PayPal integration by warning them about how their personal info could be revealed when tipping w/ PayPal Twitter Tip Jar.https://twitter.com/TwitterSupport/status/1390451333602422787 …
The flow that revealed my physical address here was the default flow served to me during this tip interaction. To keep people safe, we need *privacy by default* — make it hard to accidentally share your physical address in this flow rather than the default shown to some users.https://twitter.com/RachelTobac/status/1390772180800053248 …
An update to the Twitter Tip Jar messaging here. Our feedback has been heard.https://twitter.com/RachelTobac/status/1441092714846556165 …
Another update: no longer seeing PayPal as an option for Twitter Tip Jar.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
