State

Share this post
Please leave our clipboards alone.
state.substack.com

Please leave our clipboards alone.

#pleasenocopypasta🍝

Don
Jul 3, 2020
Comment9
Share

The Problem

Our clipboards go through and see a lot: passwords, bank account information, credit cards, private crypto keys, etc.

Over the past week, IOS 14 has given us some insight into what apps are doing behind the scenes. The new operating system (which is still in beta), will notify you every time your clipboard is accessed. Yesterday, I tweeted calling out Microsoft’s LinkedIn showing that it was accessing my clipboard every keystroke.

Twitter avatar for @DonCubedDon 𝘧𝘳𝘰𝘮 urspace.io @DonCubed
LinkedIn is copying the contents of my clipboard every keystroke. IOS 14 allows users to see each paste notification. I’m on an IPad Pro and it’s copying from the clipboard of my MacBook Pro. Tik tok just got called out for this exact reason.
Image

July 2nd 2020

1,110 Retweets1,842 Likes

This is a problem. However, the real problem and thing that scares me is the fact that ANY app has the ability to access the clipboard without permission.

I could easily see “phishing apps” starting to pop up (if they are not already) with the sole intention to scrape as much clipboard data as possible. To me, this is just as bad or even more worrying than the companies that have already been called out for it. For the most part, the companies that have been getting called out have motive to be “good”. I’m just starting to think about companies or apps that have no intention of being good.

Think of all the apps your parents or your siblings use; if you’re reading this you are probably informed enough and have already installed the new IOS or deleted questionable apps off your phone. Your parents, siblings, grandparents, etc. are the real targets here.

One interesting note — There are a ton of apps that are doing it on startup, but not every keystroke. This makes me wonder if this is caused by a common library they are all using — or what the real reasoning behind doing a clipboard call on load is.

The Response

LinkedIn did respond to my tweet, a big thanks to everyone who retweeted it and gave it visibility.

Twitter avatar for @eberger45Erran Berger @eberger45
@DonCubed Hi @DonCubed. Appreciate you raising this. We've traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don't store or transmit the clipboard contents.

July 3rd 2020

9 Retweets82 Likes
Twitter avatar for @eberger45Erran Berger @eberger45
@DonCubed An example of this is in a library we have open sourced, and you can find the fix here [
github.com/linkedin/Hakaw… (github.com/linkedin/Hakaw…). We will follow up once the fix is live in our app.

July 3rd 2020

4 Retweets57 Likes

“We've traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box” — Erran Berger

Now I do think that we should believe LinkedIn, as they have a lot to lose. Erran linked an open-source Github repository with a fix for the problem and from what was there before/changed it does not look like there was anything malicious going on. However, there is no way to verify if this is the actual code inside the LinkedIn app so take that as you will.

The List

(I will update the list with links to responses the companies have made, these are all ones I have confirmed myself.)

Every Keystroke

  • Tik Tok — Response

  • LinkedIn — Response

  • Reddit — Response

On Startup of App

  • Google News

  • Patreon

  • Call of Duty

  • Fruit Ninja

  • Philips Sonicare App

What can we do

Being able to get some insight on what apps are doing behind the scenes is a real game changer. If you can: install IOS 14, send me a DM of any apps you find doing this — I will confirm and then add it to this list ^^.

I saw lots of buzz on twitter about password managers and the exposure that users of password managers might have. I read this article by Chris Hoffman and he had a good find. Some password managers have a feature that will wipe your clipboard a certain amount of seconds after the initial copy.

He details it with a picture here:

1Password's option to clear the iPhone clipboard.

We can also ask Apple to require permissions for apps to have access to our clipboard. Google is a big fan of this feature, we’ve seen them use the “from your clipboard” suggestion in apps like Google Search, Maps, etc. I understand that it’s a nice feature to have but the security threat it imposes warrants a notification in my opinion.

Please, just ask next time. #pleasenocopypasta🍝


Thanks for reading! I will be writing some more about startups, privacy, and gaming. If you would like to hear more from me -

Comment9
ShareShare

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

alpha.rays
Jul 27, 2020

On Startup: Microsoft Edge, eMag, Foodpanda, KIWI.com, LastPass, Pinterest, SoundCloud, TuneIn Radio, 0700;

All the time: Google Chrome, Google Maps;

Expand full comment
Reply
Frank
Jul 9, 2020

Two more: PhotoSi and Hodl!

Expand full comment
Reply
7 more comments…
TopNewCommunity

No posts

Ready for more?

© 2022 Don 𝘧𝘳𝘰𝘮 urspace.io
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing