Fortunately, the issue has already been resolved by Path through a new update to its namesake social networking app.
But what was the issue all about in the first place?
Jeffrey Paul, a Berlin-based security researcher, pointed it out in a blog post titled “Once again, Path steals your data without permission.”
In his post, he noted how Path was able to geotag photos even when Location Services had been explicitly disabled for the app. And it was able to do so by using the EXIF tag location data embedded in photos from the iOS camera roll.
Dylan Casey, Product Manager at Path, then responded with the following comment:
We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.
Last year, as though in answer to the controversy over Path’s apparent stealing of users’ contacts, Apple launched a feature in iOS 6 that forced third-party apps to explicitly request user permission to access personal information.
This time, it appears that Apple would also have to, as Paul puts it, “close the loophole created by EXIF location tags in photos.”