Hours after Twitter announced the new money transfer feature Tip Jar, early testers took to the social media platform to air their concerns over addresses being included in PayPal receipts.
Tip Jar has been introduced to provide Twitter users with a secure method of accepting funds and an alternative to sharing a PayPal-linked email address, a Cashapp $Cashtag or a Venmo handle when requesting payments.
A Twitter blog states that Tip Jar is only available for people using the mobile platform in English and for those with access, an icon will appear next to the Follow button on their profile page, which will reveal a list of payments services and platforms once selected.
Today, Tip Jar has enabled Bandcamp, Cash App, Patreon, PayPal and Venmo and the blog claims that Twitter does not take a cut. For Android users, tips can also be sent within Spaces.
However, due to the nature of PayPal’s standard fraud prevention protocol between buyers and sellers, a shipping address is always included in receipt of a payment, whether it is confirmed or unconfirmed.
This has meant that people using the PayPal tip function on Twitter are able to see their recipient’s address, which has raised privacy concerns. While most merely alerted other Tip Jar users, others tweeted that, in essence, you can pay for data.
CEO of San Francisco based social engineering firm Social Proof Security Rachel Tobac tweeted: “Be careful using PayPal Twitter Tip Jar — this is a hallmark of PayPal rather than Twitter of course but it impacts Twitter users who may not know that their address is leaked by PayPal to tip receivers.”
She continued: “PayPal needs to make it crystal clear which data is given to money receivers and stop sharing that data, & Twitter needs to educate users who don’t realize what info tip receivers get when using PayPal.”
In response to her tweet, Twitter product lead Kayvon Beykpour said: “this is a good catch, thank you. we can't control the revealing of the address on Paypal's side but we will add a warning for people giving tips via Paypal so that they are aware of this.”
On its website, PayPal explains: “Although the vast majority of unconfirmed addresses are not fraudulent, PayPal offers confirmed addresses as an additional layer of fraud protection. Confirmed addresses help guard against stolen credit cards and identity theft and decrease your chances of receiving a chargeback. However, it is important to note that you can still receive a chargeback for reasons unrelated to fraud.”