Reddit and Linkedin apps also caught copying and pasting clipboard contents
Linkedin and Reddit both check your clipboard and copy and paste your clipboard contents with every keystroke – even when you’re in another app. Another set of potential privacy violators have been called out by iOS 14’s new paste notifications. The discovery was publicized on Twitter by Don Cubed of urspace.io, who noted that his discovery was very similar to the experience of Jeremy Burge who called out Tik Tok for the same behavior early this week.
LinkedIn is copying the contents of my clipboard every keystroke. IOS 14 allows users to see each paste notification.
I’m on an IPad Pro and it’s copying from the clipboard of my MacBook Pro.
Tik tok just got called out for this exact reason. pic.twitter.com/l6NIT8ixEF
— Don ???? urspace.io (@DonCubed) July 2, 2020
UPDATE: Seems like Reddit is capturing the clipboard on each keystroke as well ?
Seeing the notification come up just as much. pic.twitter.com/nzbElmRG2a
— Don ???? urspace.io (@DonCubed) July 2, 2020
Paste notifications show which apps are snooping on your clipboard
While this malicious app behavior has only been confirmed by users on iOS, it is reasonable to assume that the same thing is happening on Android. It’s also a likely reasonable assumption that Google will release a similar privacy functionality update as paste notifications soon. This is the evolution of granular app permissions and app-permission-use notifications that are finally sweeping the smartphone world as users wake up to the fact that apps often have and use way more permissions than they need if allowed to at time of install. It seems more general users are finally garnering the outrage over privacy violations on the phone.
Smartphone users are finally waking up to the potential privacy violations from installed mobile apps
Another example – which abused access to GPS location instead of the clipboard – is the Tim Hortons app. Now, Tim Hortons is facing a class action lawsuit on top of an investigation by privacy commissioners in Canada.
On Linkedin’s part, they have responded to Don Cubed and stated that they will be making a fix for this behavior. A spokesperson for Linkedin told Cubed that the copy and pasted information from users’ clipboard is only used for an “equality check,” implying that it isn’t stored and analyzed for other nefarious purposes.
Hi @DonCubed. Appreciate you raising this. We've traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don't store or transmit the clipboard contents.
— Erran Berger (@eberger45) July 3, 2020
When a user uses an app and sees that an app has “pasted from another device,” it is a scary time, though. It’s completely reasonable to assume the worst – especially given the offending company’s past anti-privacy actions. Users shouldn’t have to give companies the benefit of the doubt – the extent to which mobile apps use permissions granted by the user need to be properly disclosed and there shouldn’t be these murky avenues for abuse.
Comments are closed.
1 Comments
Pretty sure the researcher who found this said it only happens IF the app is open and in view on the user’s device, not if they are actively in another app. Anyway, this is Apple’s fault. They promised sandboxing and then let this happen without giving users control.