Twitter Tip Jar may expose user's PayPal accounts

(Image credit: PayPal)

Twitter recently began testing out a new feature that allows users to tip select profiles to help support their work but concerns have arisen regarding senders having their PayPal information exposed.

English-speaking users of the social network's iOS and Android apps can now send tips through the company's Tip Jar to creators, journalists, experts and nonprofits around the world.

Twitter users interested in tipping the account holders of their favorite profiles can do so using a variety of payment methods including Bandcamp, Cash App, Patreon, PayPal and Venmo. While the company doesn't take any cuts from these tips, the payment networks themselves may charge users a small transaction fee for tipping.

Senior product manager at Twitter, Esther Crawford provided more details on how this new feature works in a blog post, saying:

“You’ll know an account’s Tip Jar is enabled if you see a Tip Jar icon next to the Follow button on their profile page. Tap the icon, and you’ll see a list of payment services or platforms that the account has enabled. Select whichever payment service or platform you prefer and you’ll be taken off Twitter to the selected app where you can show your support in the amount you choose.”

Exposed PayPal information 

Within a few hours of the Twitter's Tip Jar rolling out though, some users on the social network discovered that due to the way in which PayPal works, the shipping addresses of those tipping other users could be exposed online.

Hacker and CEO of the white hat hacker company focused on social engineering Social Proof Security, Rachel Tobac explained how this works in a tweet, saying:

“Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him.”

Thankfully though, the solution to this potential issue is quite simple as those using PayPal to send tips via Twitter's Tip Jar can select “No address needed” under the Shipping Address form before sending a payment on the social network. 

Twitter has since updated its tipping prompt and Help Center page on its website to clarify that other apps such as PayPal may share information between those sending and receiving tips.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.