updated 08:14 pm EST, Fri February 1, 2013
User discovered EXIF 'backdoor,' company issues quick fix
On the same day as the social and photo-sharing app Path agreed to an $800,000 settlement with the Federal Trade Commission over its surreptitious uploading of users' contacts without their knowledge last year, a security researcher discovered a "backdoor" way of obtaining the same data by reading the EXIF location embedded in digital photos even if "location sharing" is explicitly turned off. Path says it was previously unaware of the issue and has already updated its iOS app to close the loophole.
By all accounts, Path was not using the EXIF data and was unaware that the workaround existed until it was pointed out. After facing a widespread public backlash when it was originally discovered to be helping itself to contact data from users' address books without user permission, Path rebuilt its base with an aggressive action plan to disavow and destroy all location data it had previously collected, along with an apology to users.
It explained that it had previously copied user contact data to allow the service to automatically connect people who already know each other together on the social network as a user's friends joined the service, similar to the way Facebook performs the same service (though Facebook uses a less-invasive method, and requires user interaction to make any changes).
The data-mining was and remains off-limits according to Apple developer guidelines, and CEO Tim Cook allegedly "grilled" Path co-founder and CEO Dave Morin in a face-to-face meeting when the contact-scraping was discovered and made public. Apple subsequently strengthened enforcement of the ban by forcing applications to explicitly ask for permission to access contacts or photos or other personal info, even if access to that information is an obvious part of the purpose of the app (for example, the "Find My iPhone" app still asks for permission to access a user's location data).
Having been burned by the overzealous privacy breach once, Path was quick to react when informed about the bug this time. It became obvious in the investigation that Path's original code had used EXIF data as a "fallback" when location data was not found, and that this backdoor had simply never been closed when the company began obeying Location Services settings.
Path Product Manager Dylan Casey reported back to researcher Jeffrey Paul and told him the company had changed the code to ignore EXIF tag location, and submitted a new version of the app with the change. Apple approved the new version in record time, and the update is already available on the App Store.
The company later clarified that if a photo were taking using the Path app, the photo has no location data at all if Location Services is turned off or location data permission has been denied. It was only photos taken with the Apple camera app or brought in from other sources that may have EXIF location data preserved. As part of its agreement with the FTC, Path has already said that it will not collect such info for users who are known to be under the age of 13, even if Location Services and location data permission has been granted.