Twitter Tip Jar may expose PayPal address, sparks privacy concerns

This week Twitter has begun experimenting with a new feature called 'Tip Jar,' which lets Twitter users tip select profiles to support their work.

Twitter iOS and Android app users using Twitter in English can now send tips to a limited group of people around the world, including creators, journalists, experts, and nonprofits. 

However, the new feature has sparked multiple concerns among Twitter users: from the sender's PayPal shipping address getting exposed, to how are "disputes" handled.

Twitter 'Tip Jar' may expose your PayPal shipping address

Yesterday, Twitter rolled out a 'Tip Jar' feature to Android and iOS app users who have their preferred language set to English.

The feature has been introduced by the company to "support the incredible voices that make up the conversation on Twitter."

Although anyone can send cash tips, the group who can receive such rewards is currently restricted to just a handful of entities:

"For now, a limited group of people around the world who use Twitter in English can add Tip Jar to their profile and accept tips."

"This group includes creators, journalists, experts, and nonprofits. Soon, more people will be able to add Tip Jar to their profile and we'll expand to more languages," announced Twitter in yesterday's blog post.

Those interested in tipping someone can use a variety of payment methods, including Bandcamp, Cash App, Patreon, Paypal, and Venmo.

Moreover, Twitter does not receive a cut of the tipped amount, although the payment networks may charge a minimal transaction fee. 

However, within a few hours some pointed out that because of how PayPal works, users may not realize that their PayPal shipping address was being exposed to those who they tipped:

Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://t.co/R4NvaXRdlZ pic.twitter.com/r8UyJpNCxu

— Rachel Tobac (@RachelTobac) May 6, 2021

Put simply, because "tipping" counts as a transaction on Twitter, much like a buyer paying a seller when shopping online, PayPal may (by default) expose the money sender's shipping address to the person who is receiving tips.

Twitter users including Anashel and Yashar Ali pointed out that the solution to this potential issue is rather simple.

Those using PayPal for sending tips via Twitter Tip Jar can select "No address needed," under the Shipping Address form field prior to sending the payment: 

Additionally, Twitter has updated its tipping prompt and Help Center to make it clear that other apps, such as PayPal, may share information between people sending and receiving tips.

Well, that one was easy. But there's just one more issue that others have brought up.

But, what about disputes?

What happens when someone tips a Twitter user using the Tip Jar and later files a "dispute" concerning the payment?

Different payment networks offer methods to dispute outbound payments for many reasons: such as receiving faulty goods, or not receiving a service adequately, and so on.

But, in PayPal's case, some have pointed out that if a tip sender files a dispute after tipping someone, things can get ugly for the recipient—who now has to pay a $20 dispute charge, plus payment processing fees, of course, in addition to refunding the tipped amount:

Yup. There's even a "method" for screwing with people using the mandatory $20 chargeback. Give someone 5 fraudulent donations and you've just hit them with $100 in chargeback fees once those donations are reversed. One of many ways Paypal is kinda broken.

— briankrebs (@briankrebs) May 6, 2021

And, as noted by infosec journalist Brian Krebs, if a fraudster can repeat sending "tips" a few times and dispute these, they can, in turn, make the recipient pay up as a result of triggering the dispute process, effectively reversing the direction of flow of money.

It is unclear what policies PayPal and Twitter will introduce to prevent malicious actors from abusing the Tip Jar feature which has just been rolled out.

Also, at this time, not every Twitter Android and iOS app user may have the Tip Jar feature enabled.

Twitter profiles with Tip Jar enabled will show a "Tip Jar" icon next to the "follow(ing)" button on their profile, as shown in the GIF illustration above.

In tests by BleepingComputer, however, Tip Jar was not available for some app users, including those with verified accounts, although the preferred language for the accounts/apps was set to English. 

As such, those interested in pioneering the Tip Jar feature should keep an eye on their app for any updates.