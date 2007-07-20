from the just-a-quick-peek dept.
Reddit and LinkedIn stop copying iPhone clipboards:
Reddit and LinkedIn are changing their apps to prevent them from looking at the Apple iPhone clipboard.
In a developer trial of the latest update to the phone's operating system, iOS 14, users are notified whenever an app accesses the device's copied text.
The notification exposed frequent scanning of the clipboard by apps that many users thought should not need to do so.
The two firms follow TikTok in changing their apps amid the criticism.
[...] In research published in March, Talal Haj Bakry and Tommy Mysk identified dozens of apps which they said had accessed the clipboard.
At the time Apple said it did not think it was a vulnerability.
There are legitimate reasons why an app needs clipboard access - for example, in order to share a website address with a message platform, or to grab a password from a password manager and paste it into a password-protected service.
Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data:
Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user's GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk, who is trying to raise awareness around what he believes is an Apple vulnerability. To illustrate his concerns, Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget.
Both are designed to illustrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. To highlight and demonstrate his concerns, Mysk told Threatpost he focused on photos taken by a device's camera that contain time and GPS metadata that could be used to pinpoint a user.
"A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard," the developer wrote in a technical blog post outlining his research on Monday.
"Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user's precise location. This can happen completely transparently and without user consent," he wrote.
Apple, in response to his research, said it didn't consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpsot[sic].
Apple did not return Threatpost's request for comment for this story.
Apple's iOS 14 beta added a feature that reveals each time an application copies text from the clipboard. A recent article in Ars Technica brought renewed focus to an issue we previously reported in February. This story includes a list of apps from the researcher's blog post.
TikTok and 53 other iOS apps still snoop your sensitive clipboard data:
In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users' most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either.
The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users' clipboards.
[...] In many cases, the covert reading isn't limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard, meaning contents can be copied from the app of one device and pasted into an app running on a separate device.
(Score: 2) by Runaway1956 on Tuesday July 07, @07:21PM (4 children)
WTF did they say? Their apps need access to password manager's data? Huh? Surely, I didn't read that correctly. How 'bout you, Shirley?
The PASSWORD MANAGER should be managing passwords, not some freaking random app that you've installed from the intarwebz!!!
We're From the Government, and We're Here to Help.
(Score: 0) by Anonymous Coward on Tuesday July 07, @07:26PM (1 child)
https://twitter.com/GarbyJooman2020/status/1280462570164383745/photo/1 [twitter.com]
(Score: 2) by Runaway1956 on Tuesday July 07, @07:49PM
Tweets don't display on my machine. I think Twitter is blocked as a malicious software site, which would be consistent with TFA.
We're From the Government, and We're Here to Help.
(Score: 2) by Freeman on Tuesday July 07, @07:28PM (1 child)
That quote is from the BBC writer. "frequent scanning of the clipboard" sounds like poor design at best, malicious intent at worst.
"I said in my haste, All men are liars." Psalm 116:11
(Score: 1) by fustakrakich on Tuesday July 07, @07:36PM
Well, it was very nice of them to stop, don't you think?
REDЯUM
(Score: 0) by Anonymous Coward on Tuesday July 07, @07:51PM
I loaded the official SoylentNews app onto my Apple iPhone and it replaced all my bookmarks with links to social-justice websites, substituted my carefully curated collection of J-Lo porn with pictures of TMB in a dress, and used all of my Bitcoins to buy SoylentNews subscriptions for orphans.