Reddit and LinkedIn stop copying iPhone clipboards:
Reddit and LinkedIn are changing their apps to prevent them from looking at the Apple iPhone clipboard.
In a developer trial of the latest update to the phone's operating system, iOS 14, users are notified whenever an app accesses the device's copied text.
The notification exposed frequent scanning of the clipboard by apps that many users thought should not need to do so.
The two firms follow TikTok in changing their apps amid the criticism.
[...] In research published in March, Talal Haj Bakry and Tommy Mysk identified dozens of apps which they said had accessed the clipboard.
At the time Apple said it did not think it was a vulnerability.
There are legitimate reasons why an app needs clipboard access - for example, in order to share a website address with a message platform, or to grab a password from a password manager and paste it into a password-protected service.
Related:
Reddit says it's fixing code in its iOS app that copied clipboard contents
Apple iOS 14 Alerts Reveal Reddit App Is Reading User Clipboard Data
Reddit promises to stop accessing user clipboards after being exposed by iOS 14
Previously:
(2020-06-28) TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
(2020-02-27) Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data
Related Stories
Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data:
Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user's GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk, who is trying to raise awareness around what he believes is an Apple vulnerability. To illustrate his concerns, Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget.
Both are designed to illustrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. To highlight and demonstrate his concerns, Mysk told Threatpost he focused on photos taken by a device's camera that contain time and GPS metadata that could be used to pinpoint a user.
"A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard," the developer wrote in a technical blog post outlining his research on Monday.
"Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user's precise location. This can happen completely transparently and without user consent," he wrote.
Apple, in response to his research, said it didn't consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpsot[sic].
Apple did not return Threatpost's request for comment for this story.
Apple's iOS 14 beta added a feature that reveals each time an application copies text from the clipboard. A recent article in Ars Technica brought renewed focus to an issue we previously reported in February. This story includes a list of apps from the researcher's blog post.
TikTok and 53 other iOS apps still snoop your sensitive clipboard data:
In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users' most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either.
The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users' clipboards.
[...] In many cases, the covert reading isn't limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard, meaning contents can be copied from the app of one device and pasted into an app running on a separate device.
From The Verge:
President Trump has signed a new executive order which will block all transactions with Bytedance, TikTok's parent corporation, in an effort to "address the national emergency with respect to the information and communication technology supply chain."
The move comes after months of escalating tensions, which saw Secretary of State Mike Pompeo and others at the White House warn that TikTok presented a national security threat because of its Chinese ownership. Microsoft is currently in talks to acquire portions of the app, aimed to be complete by September 15th.
A parallel order banned transactions with WeChat, a popular texting app in China that maintains a small user base in the US.
[...] The executive branch has the power to levy sanctions against individuals and corporations by placing them on the "entity list," as the US did against Huawei and ZTE last year. But such sanctions are typically put in place by the Commerce Department rather than the White House, and subject to a specific rule-making procedure that seems to have been short-circuited by the surprise executive order.
See also: Tencent stock plummets after Trump announces plan to ban WeChat in the US
Previously:
(2020-08-01) President Trump Threatens TikTok Ban, Microsoft Considers Buying TikTok's U.S. Operations[Updated 2]
(2020-07-07) Reddit and LinkedIn Stop Copying iPhone Clipboard Contents
(2020-06-30) India Bans TikTok, WeChat, and Other Chinese-Owned Apps
(2020-06-28) TikTok and 53 Other iOS Apps Still Snoop Your Sensitive Clipboard Data
(2019-12-27) Investigation Claims United Arab Emirates Uses The ToTok App To Spy
(2019-10-26) Lawmakers Ask US Intelligence to Assess If TikTok is a Security Threat
(Score: 3, Interesting) by Runaway1956 on Tuesday July 07 2020, @07:21PM (12 children)
WTF did they say? Their apps need access to password manager's data? Huh? Surely, I didn't read that correctly. How 'bout you, Shirley?
The PASSWORD MANAGER should be managing passwords, not some freaking random app that you've installed from the intarwebz!!!
(Score: -1, Offtopic) by Anonymous Coward on Tuesday July 07 2020, @07:26PM (4 children)
https://twitter.com/GarbyJooman2020/status/1280462570164383745/photo/1 [twitter.com]
(Score: 2) by Runaway1956 on Tuesday July 07 2020, @07:49PM
Tweets don't display on my machine. I think Twitter is blocked as a malicious software site, which would be consistent with TFA.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 07 2020, @08:40PM (2 children)
Man, I really hate it when assholes take something somebody else said out context, criticize it, and make it impossible to find the original context. What's the point of criticizing some random stranger behind their back anyway?
What if I wanted to find more dumb shit to laugh at? Why make it hard?
For all we know, the context could have been "in base 4, 2+2=10". Probably not, but it's possible. Apparently I'm not allowed to know for sure.
(Score: 0) by Anonymous Coward on Tuesday July 07 2020, @09:24PM (1 child)
You can easily search her Twitter, which got set to private. And no one wants to use base 4, but base 12 would make sense. Base 10 is the basis of greed, while 12 makes sharing easier (divide equally among 1, 2, 3, 4, 6, 12 comrades vs only 1, 2, 5, 10). But 2 + 2 = 4 in base 12 as well.
(Score: 2) by Mykl on Tuesday July 07 2020, @11:16PM
Divide equally? Sounds like Communism. That's why I use base 11.
(Score: 2) by Freeman on Tuesday July 07 2020, @07:28PM (6 children)
That quote is from the BBC writer. "frequent scanning of the clipboard" sounds like poor design at best, malicious intent at worst.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2, Insightful) by fustakrakich on Tuesday July 07 2020, @07:36PM (5 children)
Well, it was very nice of them to stop, don't you think?
La politica e i criminali sono la stessa cosa..
(Score: 5, Interesting) by meustrus on Tuesday July 07 2020, @08:29PM (3 children)
They only stopped because users complained.
Users only complained because Apple put up an annoying notification banner whenever the app was doing it.
Apple only put up the annoying notification banner because security researchers begged them to.
And of course, Android apps can still do it, because Google doesn't listen to security researchers nearly as much as it listens to its buddies in the malware distribution business.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by Freeman on Tuesday July 07 2020, @08:48PM (1 child)
Apple wants to be seen as safe and secure with their walled garden. Then, they need to act like it.
Android remains the wild west of phone operating systems. Just like Windows is the wild west of Desktop Operating Systems.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1) by fustakrakich on Wednesday July 08 2020, @01:23AM
Android is a wild west movie of phone operating systems.
The architect is watching [rapgenius.com]
La politica e i criminali sono la stessa cosa..
(Score: 2) by Muad'Dave on Wednesday July 08 2020, @11:42AM
I wish Apple would add a permission to access the speaker. No more ads blaring out while playing solitaire on the down-low.
(Score: 2, Touché) by RandomFactor on Tuesday July 07 2020, @08:36PM
+1 Snarcastic
В «Правде» нет известий, в «Известиях» нет правды
(Score: -1, Troll) by Anonymous Coward on Tuesday July 07 2020, @07:51PM (3 children)
I loaded the official SoylentNews app onto my Apple iPhone and it replaced all my bookmarks with links to social-justice websites, substituted my carefully curated collection of J-Lo porn with pictures of TMB in a dress, and used all of my Bitcoins to buy SoylentNews subscriptions for orphans.
(Score: 1, Funny) by Anonymous Coward on Tuesday July 07 2020, @08:25PM
Write an email to them asking how Slashdot malware got into their app
(Score: 0) by Anonymous Coward on Tuesday July 07 2020, @08:36PM
It's funny, but in reality, I doubt TMB would like the idea of you, determined to jizz, opening up your collection and deciding to pretend it's all the same until you can go rebuild.
No, it's more likely aristarchus is photoshopped into the dress. It's always the somewhat outcast innocent bystanders that get emasculated like that.
And we can all just ignore the trans people here. You wouldn't have to photoshop the dress, but it wouldn't be funny anyway, because they might actually look hot in it.
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @02:10AM
What have you got against orphans?
(Score: 2) by looorg on Tuesday July 07 2020, @08:24PM (6 children)
Isn't this just part of the lazy-programmers handbook. Just give/take/demand the app all access to everything. Less work. I found myself many times wondering why it needs access to this that or the other and there really is no reason for it. It seems that it's just easier to get access to everything and then not to worry or think that much about it.
(Score: 5, Insightful) by Anonymous Coward on Tuesday July 07 2020, @08:29PM
"I just need this one function"
"dude you just included 300 MB of libraries"
"yea who cares disk is cheap"
*sigh*
(Score: 2) by Freeman on Tuesday July 07 2020, @08:50PM
To some extent yes, but the lazy programmer shouldn't be scanning the clipboard either. Though, maybe they were using it send themselves error reports and the lazy programmer stuck it in the clipboard . . .
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Grishnakh on Wednesday July 08 2020, @12:10AM (3 children)
I don't see how having clipboard access isn't almost essential for something like a messaging app. HowTF are you supposed to send someone a URL without using the clipboard? No one wants to write it down on a piece of paper, then type it out on the phone's on-screen keyboard. Seriously, having clipboard access is perfectly reasonable for a chat app. (I don't know about the "frequent scanning of the clipboard" though.)
The whole purpose of a messaging app is to communicate. Clipboards are for copying information (usually textual) between applications. It's not at all unreasonable for someone to want to copy-and-paste text between a chat app and some other app (for instance, a translator app, a web browser, etc.).
(Score: 2) by looorg on Wednesday July 08 2020, @12:43AM (2 children)
In the case of the article tho I guess Reddit and Linkedin doesn't agree with your assessment. Clearly caught with their hand in the cookie jar where it didn't belong. It's not about that there are some or none legitimate reasons for it. But at the same time why would you need it? And need it all the time. What does it do with all the information it has access to but wasn't meant for it? Is that just gone or is it stored or send somewhere else? How do you distinguish between this needed and not needed access?
It seems to be a fairly common issue for a lot of apps that they just ask for all the access cause that is just somehow easier. Lets just have clipboard, GPS, camera, microphone, messages, addressbook, maps, settings whatever access there is. Also they seem to fail if they don't get them even tho there should be no reason to have them. I figure it's as was pointed out in the other reply that it's just easier to grab everything then to actually do what you need and just that.
(Score: 2) by Grishnakh on Wednesday July 08 2020, @01:19AM (1 child)
In the case of the article tho I guess Reddit and Linkedin doesn't agree with your assessment.
Even here, I see valid use-cases. For LinkedIn, what if I want to copy-and-paste from my resume to LinkedIn, or copy from a message there to someplace else? LinkedIn is also a messaging platform, remember. Why would I not want to be able to copy messages? What if I want to compose a message in an editor or something? Same goes for Reddit.
It's not about that there are some or none legitimate reasons for it. But at the same time why would you need it?
I believe I've already addressed this. If you don't think copy-and-paste is necessary in today's world, I don't know what to tell you. Windows has had it since the beginning in the 80s, and I'm pretty sure the X Window System has as well. Apple didn't have it on their iPhones (iOS) for a while when those phones were new, and it was easily the #1 complaint because it's such a PITA to not be able to copy-and-paste text from place to place. They finally added it in. I'm pretty sure Android had it all along, though I could be wrong. This feature has been recognized as an essential feature of GUI systems many decades now. I wouldn't be surprised if the Xerox PARC even had it.
And need it all the time.
How exactly do you give access *some* of the time to copy-and-paste functionality? That doesn't even make sense. Either you have access to the clipboard or you don't. It's like this with access to any system service: either the app has it, or it doesn't.
What does it do with all the information it has access to but wasn't meant for it?
I don't know, but what this does make me wonder is: why should any app have access to the clipboard contents unless you specifically press-and-hold and then press "paste"? If this isn't the case, this sounds like a failure in OS design. Maybe the mobile OS vendors need to do a redesign.
It seems to be a fairly common issue for a lot of apps that they just ask for all the access cause that is just somehow easier. Lets just have clipboard, GPS, camera, microphone, messages, addressbook, maps, settings whatever access there is.
Yes, I get that LinkedIn's app doesn't need your GPS location or access to your microphone. But this isn't what we're talking about here; we're talking about the clipboard, and messaging apps. They have a very good reason to use the clipboard.
(Score: 2) by looorg on Wednesday July 08 2020, @02:06PM
It's not about if there are legitimate reasons to have access to the clipboard or not. There clearly are cases when this is useful and needed. But that wasn't the case in the article.
This is the issue. They are scanning the clipboard even when you don't need it or asked for it. Probably as some kind of "feature". A feature they couldn't defend when asked about it, cause it probably made no sense. If you as a user press the button to fetch something from or send something to the clipboard that is just fine. Not the issue here.
(Score: 4, Insightful) by corey on Tuesday July 07 2020, @11:10PM
Reddit and LinkedIn are websites. For accessing with a web browser. I don't see any need for using a shitty app. I use both but Reddit lately nags the shit out of me to use their app. Wonder why they put so much effort into that, as a business. Hmm.
Yeah, bullshit. I'll find a new website to use before installing that spyware.
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @12:04AM
Letting someone else run their code on my computer with network access currently requires trust.
It appears the interpreter is not up to it and the current commercial environment.
Apple exposed that Reddit, etal. were peeking at things a user would not expect them to.
Reddit said it was ok because XXX, but we won't do it any more.
I find that unsatisfying.
Either they XXX was a good reason for the user and they should keep using it, or XXX was bogus which makes their app a trogan horse.
That they just backed off without trying to convince users that XXX was good for them leans me towards the later.
No doubt many others are doing similar things and Redit is not a special case.
What could my phone do to improve this.
Publishing who is accessing stuff is good.
Perhaps the interpreter could keep track of who uses the data from all the neat input a phone can provide.
Then allow some things to be used temporarily locally, but require user intervention for things to go further.
It would be a pain for the JS interp to have track access rights for each variable, but CPU cycles don't seem rare?
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @05:48AM (2 children)
This sounds like an architectural defect. When I hit ctrl-V, that's coming from the operating system. The browser (or any application) shouldn't even be able to distinguish that the text came from me hitting ctrl-V or typing it directly.
If there's something like a password cache, that should be a separate API, with separate permissions for access. I'm struggling to even imagine how the clipboard would come into play there, but then I don't develop for those platforms...
Now I just reviews the Windows API docs, and part of that is that you can monitor the clipboard--but there's nothing about the operation of a clipboard that inherently requires that kind of insecurity. In particular, there's nothing to stand in the way of making *paste* something that the user must initiate from the OS, and the application would simply respond to paste requests or not. It's a bit of a problem if you want to have a paste menu item as opposed to ctrl-V or other externally initiated action though. How are people typically pasting on these devices? I thought menus were passe.
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @02:28PM
AFAICT on android, most "apps" have that weird sideways triangle share button thing, and copy/paste is only accessible through a long press while the keyboard is open.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 08 2020, @07:15PM
That's not how it works. Consider for instance that you can copy/paste arbitrary data (such as an image) in different programs and it will behave differently. Or consider various right click context menus that have a paste option - that's functionality implemented by the developer. Many APIs have controls with some built in support for copy paste stuff (like most text boxes) but that support is there to ensure UI consistency and for programmer convenience - nothing to do with security. The developer can override such functionality and it's important that such an override is possible.
However, obviously applications should only be checking the clipboard when the user demands such behavior in some way or another. So for instance by clicking in a paste context menu item, or by pressing a hotkey for such. The fact that they were arbitrarily scanning the clipboard is almost 100% an indicator of malicious behavior. As a general indicator, the more a company (or person for that matter) virtue signals - the scummier they are. And so this should come as zero surprise from a company like Reddit.