Stories
Slash Boxes
Comments

SoylentNews is people

Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data

posted by Fnord666 on Thursday February 27 2020, @08:20AM   Printer-friendly
from the leaky-clipboard dept.

upstart writes in with an IRC submission for SoyCow9876:

Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data:

Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user's GPS coordinates, passwords, banking data or a spreadsheet copied into an email.

Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk, who is trying to raise awareness around what he believes is an Apple vulnerability. To illustrate his concerns, Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget.

Both are designed to illustrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. To highlight and demonstrate his concerns, Mysk told Threatpost he focused on photos taken by a device's camera that contain time and GPS metadata that could be used to pinpoint a user.

"A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard," the developer wrote in a technical blog post outlining his research on Monday.

"Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user's precise location. This can happen completely transparently and without user consent," he wrote.

Apple, in response to his research, said it didn't consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpsot[sic].

Apple did not return Threatpost's request for comment for this story.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Thursday February 27 2020, @06:49PM (1 child)

    by Anonymous Coward on Thursday February 27 2020, @06:49PM (#963648)

    Here is the fix. Only the currently active/focused app can cut/copy and then only another active/focused app can paste. Background apps can't do either. BTW - apps can't become active/focused by themselves, can they? Seems it would be a security risk to allow anything more than an API for an app to produce a notification while in the background.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 0) by Anonymous Coward on Thursday February 27 2020, @06:55PM

    by Anonymous Coward on Thursday February 27 2020, @06:55PM (#963651)

    It's too easy to mistakenly click on something with the phone interfaces. I would like positive control when an app wants to read my clipboard.

    AFAIK even Javascript only lets everybody write to the clipboard, but not read.