Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data:
Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user's GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk, who is trying to raise awareness around what he believes is an Apple vulnerability. To illustrate his concerns, Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget.
Both are designed to illustrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. To highlight and demonstrate his concerns, Mysk told Threatpost he focused on photos taken by a device's camera that contain time and GPS metadata that could be used to pinpoint a user.
"A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard," the developer wrote in a technical blog post outlining his research on Monday.
"Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user's precise location. This can happen completely transparently and without user consent," he wrote.
Apple, in response to his research, said it didn't consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpsot[sic].
Apple did not return Threatpost's request for comment for this story.
Related Stories
Apple's iOS 14 beta added a feature that reveals each time an application copies text from the clipboard. A recent article in Ars Technica brought renewed focus to an issue we previously reported in February. This story includes a list of apps from the researcher's blog post.
TikTok and 53 other iOS apps still snoop your sensitive clipboard data:
In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users' most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either.
The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users' clipboards.
[...] In many cases, the covert reading isn't limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard, meaning contents can be copied from the app of one device and pasted into an app running on a separate device.
Reddit and LinkedIn stop copying iPhone clipboards:
Reddit and LinkedIn are changing their apps to prevent them from looking at the Apple iPhone clipboard.
In a developer trial of the latest update to the phone's operating system, iOS 14, users are notified whenever an app accesses the device's copied text.
The notification exposed frequent scanning of the clipboard by apps that many users thought should not need to do so.
The two firms follow TikTok in changing their apps amid the criticism.
[...] In research published in March, Talal Haj Bakry and Tommy Mysk identified dozens of apps which they said had accessed the clipboard.
At the time Apple said it did not think it was a vulnerability.
There are legitimate reasons why an app needs clipboard access - for example, in order to share a website address with a message platform, or to grab a password from a password manager and paste it into a password-protected service.
Related:
Reddit says it's fixing code in its iOS app that copied clipboard contents
Apple iOS 14 Alerts Reveal Reddit App Is Reading User Clipboard Data
Reddit promises to stop accessing user clipboards after being exposed by iOS 14
Previously:
(2020-06-28) TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
(2020-02-27) Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data
(Score: 2) by barbara hudson on Thursday February 27 2020, @08:53AM (2 children)
Anyone who has anything from Google or Facebook, on the other hand, is already hosed.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Thursday February 27 2020, @10:06AM (1 child)
Only three *I* statements to establish superiority before a claim that puts down everyone else. Are you ok?
(Score: 2) by barbara hudson on Friday February 28 2020, @02:12AM
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2, Insightful) by Anonymous Coward on Thursday February 27 2020, @10:05AM (4 children)
That's how clipboards work. I don't understand what is the problem here.
(Score: 0) by Anonymous Coward on Thursday February 27 2020, @12:24PM
Complete lack of any technical knowledge in the new generation.
They know to swipe up, swipe down, push left, push right, but they have no idea how the flat magic picture box works to make the magic happen.
Result: people complaining that there is a problem in the basic operation of a feature.
(Score: 2) by coolgopher on Thursday February 27 2020, @12:27PM
The author seems to be in favour of making "paste" a privileged operation which can only be initiated by the OS, presumably via some dedicated UI element, or maybe only from the foreground application. There could be some merit to it I guess, but to me it sounds like a storm in a tea cup. Not installing dodgy apps would seem a far better approach...
(Score: 2) by maxwell demon on Thursday February 27 2020, @05:12PM (1 child)
The problem is the changed expectations.
When copy/paste was invented, the general concept was that the software on a computer is installed there by someone who is responsible for what is installed there, and the system can be trusted to only run software that has intentionally been installed by that person.
Today, the idea of most people is that you should be able to run any crap on your device and still be completely safe. Moreover, web pages may run crap on your computer without you even knowing.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday February 27 2020, @05:54PM
copy-paste is simple programming.
apples flaw is that too many programs are "also a IDE (integrated development interface)" running in the background having access to clipboard.
it would suck if writing a any program would report home ever keystroke and misspelling to each and every developer of another program running in the background whilst programming said before wrongly typed program.
copy-paste should be implemented dumb, not with a overlay API (application programming interface) to it. duh, no! double duh!!
(Score: 1, Insightful) by Anonymous Coward on Thursday February 27 2020, @12:21PM (2 children)
While the article tries hard to imply this is an iOS issue, reality is different, and a bit more booring (i.e., less "click baiting", if not actually more scary).
This is an issue with all systems with shared clipboards (iOS, Android, Win, MacOS, Linux).
That's why the clipboard was, originally, called the shared clipboard (but shared long since was dropped and few remember anymore). It is shared and in this context shared means with every single app/program currently running on the device.
If the clipboard was not shared then the UI for data transfer between separate programs would be a whole lot more cumbersome.
First, the destination program would have to be started or already running before the copy was performed (otherwise the next step would be even more cumbersome).
Second, when selecting copy (or cut) you will have to be presented with a list of all running programs that accept clipboard data, and you would have to pick the destination explicitly.
Only then could you switch to the destination and paste the result somewhere.
The joe six-packs would be up in arms if that had to be the UI for copy-paste between programs.
And, for something like a web browser with plural tabs (where each tab has more in common with an additional running program on the system due to JS) the list of "running programs" would also have to include each tab as a separate menu entry, in order to prevent tab 25 from grabbing clipboard data when the user meant for it to go to tab 37.
(Score: 4, Insightful) by maxwell demon on Thursday February 27 2020, @05:05PM (1 child)
No, that's not necessary. The copy step transfers the data to the OS, which already has complete control anyway. So all that would be needed is that the OS stores not only the copied information, but also which program the information was copied from.
It's only the paste step that would need to be changed. When the application requests a paste, the OS would pop up a dialogue "The application $X requests data from the clipboard that was put there by application $Y$. Do you want to allow the application access to the data?"
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Informative) by hendrikboom on Thursday February 27 2020, @11:17PM
It shouldn't be the application that requests the paste. It should be the OS (which is part of the OS) that interprets user actions as a paste and informs the application that the user has designated as the proper recipient. Without being so designated a process should have no access to the paste datum.
(Score: 1, Interesting) by Anonymous Coward on Thursday February 27 2020, @06:49PM (1 child)
Here is the fix. Only the currently active/focused app can cut/copy and then only another active/focused app can paste. Background apps can't do either. BTW - apps can't become active/focused by themselves, can they? Seems it would be a security risk to allow anything more than an API for an app to produce a notification while in the background.
(Score: 0) by Anonymous Coward on Thursday February 27 2020, @06:55PM
It's too easy to mistakenly click on something with the phone interfaces. I would like positive control when an app wants to read my clipboard.
AFAIK even Javascript only lets everybody write to the clipboard, but not read.