A recent investigation revealed that the event planning app Partiful failed to strip GPS metadata from user-uploaded photos, meaning that anyone using basic web tools could access precise latitude/longitude data tied to images stored in the app’s Firebase backend. The company acknowledged the flaw, fast-tracked a fix, and reprocessed existing uploads to remove location info. The oversight raised serious concerns—particularly as Partiful has grown into a social graph connecting users’ events, contacts, and locations, and some have already raised alarm over its founders’ prior ties to Palantir.
Key Takeaways
– The metadata exposure meant that users’ home, work, or other precise photo-capture locations could have been revealed to anyone inspecting backend image files.
– Partiful responded within days: it stripped metadata from new and existing photos, and publicly disclosed the vulnerability.
– The incident underscores how even startups must treat data hygiene—especially location metadata—as a foundational privacy requirement, not an optional extra.
In-Depth
Partiful is carving out a niche as a hip, minimalist alternative to Facebook Events—a fast, stylish way to plan gatherings and manage RSVPs. But in a recent deep dive, TechCrunch’s security team discovered that Partiful was not automatically stripping geolocation metadata (EXIF GPS tags) from photos that users uploaded, including profile images. These tags—standard in almost every smartphone photo—store precise latitude and longitude coordinates. Because Partiful stored the “raw” images in Google‘s Firebase backend, anyone with decent tech savvy could access them through browser developer tools and extract that GPS data.
To validate the issue, TechCrunch uploaded a photo taken outside San Francisco’s Moscone West convention center, which included exact coordinates. When examined on the server side, the photo still carried the same location metadata, confirming that Partiful had not scrubbed it before or during storage. In effect, if someone had snapped a photo at or near their home or workplace and used it as their Partiful profile picture, that location could have been exposed to any user who poked around.
That’s a serious lapse. Most major platforms deploy metadata-stripping by default for privacy reasons; leaving it intact is widely regarded as negligent when you’re storing user photos. Recognizing the gravity, TechCrunch alerted the Partiful team, which acknowledged the issue was “already on our team’s radar” and soon accelerated its fix cycle. Within days, Partiful stripped metadata from new uploads and reprocessed older images to remove sensitive GPS information. The company also publicly disclosed the bug and said it was investigating whether any improper access occurred.
This scandal is more than just a technical slip—it touches on trust, transparency, and the responsibilities that come with collecting user data. It also arrives amid scrutiny over Partiful’s founding team, which includes former Palantir employees. Some critics had already flagged privacy concerns around those ties; this incident amplifies them. As Partiful transitions from a simple event tool toward becoming a social graph (connecting users, tracking interactions, and mapping their events), data safety becomes essential rather than optional.
For users, this is a reminder: disable geographic tagging in your camera app settings, view or strip metadata before posting images, and treat every platform as a potential vector of exposure. For startups—and investors—metadata hygiene should be part of the security baseline, not an afterthought. As Partiful scales, its ability to safeguard sensitive information will be pivotal to whether it becomes a trusted platform or a cautionary tale.