It looks like vulnerable journalists that rely on Twitter tips could be in danger as every transaction could leak their email address.
As reported by one user testing the new payment feature, this is what shows up after sending a donation:
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://t.co/R4NvaXRdlZ pic.twitter.com/r8UyJpNCxu— Rachel Tobac (@RachelTobac) May 6, 2021
This is what Twitter support has to say about the potential exploit:
We’re updating our tipping prompt and Help Center to make it clearer that other apps may share info between people sending/receiving tips, per their terms.— Twitter Support (@TwitterSupport) May 6, 2021