[HN Gopher] iOS14 reveals that TikTok may snoop clipboard conten... ___________________________________________________________________ iOS14 reveals that TikTok may snoop clipboard contents every few keystrokes Author : georgespencer Score : 189 points Date : 2020-06-24 21:34 UTC (1 hours ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | gentleman11 wrote: | I use bitwarden as my password manager. Out of paranoia, I have | been logging into Bitwarden only while an empty tab is open in | case some random website is able to access my keystrokes while I | use the plugin. | | I am a web developer, but I wasn't actually able to find | information about whether this is a real risk or not last year | when I began doing it. Can anybody clarify? | ciarannolan wrote: | A Yubikey or similar device is a good way to mitigate the | damage of having your password manager's password stolen. | | https://bitwarden.com/help/article/setup-two-step-login-yubi... | rvz wrote: | And for Mac users, Touch ID takes this further without any | devices, dongles or passwords, which 1Password, Dashlane, etc | already supports. | riskable wrote: | The problem is that iOS doesn't differentiate between a call | that merely checks for the presence of a clipboard entry (e.g. | so you can enable "Paste" in a menu/submenu) and _actually_ | copying the contents of the clipboard. | | The workaround (for legitimate apps) is to simply always keep | that "Paste" option enabled--even if the clipboard is empty. | That way you won't freak out your users and only suffer the | most minor of usability consequences. | | Having said that I don't think TikTok has any relevant | functionality such as enabling a "Paste" option so... Most | likely nefarious! | pininja wrote: | > I don't think TikTok has any relevant functionality | | Does pasting text into a video as an annotation require | "Paste" to be enabled in this way? | selsta wrote: | iOS differentiates between this since iOS 10: | | https://developer.apple.com/documentation/uikit/uipasteboard. | .. | | Also iOS 14 has new clipboard related APIs to further check | the content without actually accessing it. | WrtCdEvrydy wrote: | this is weird, you usually can't past data from clipboard (part | of the browser sandbox). copying into the clipboard is free, | pasting is not. | | Edit: This seems to be the app TikTok, not a website. | moonchild wrote: | It is a risk. There's an easier solution, though. | | about:config -> dom.event.clipboardevents.enabled=false | hkt wrote: | I note with interest some commenters with.. interesting.. English | skills, and also strongly pro-clipboard-scraping views. Funny | that. | KaoruAoiShiho wrote: | Hopefully we can turn this off, this is going to destroy | usability be very annoying. | adamhearn wrote: | You mean so you can snoop from the user without being detected? | KaoruAoiShiho wrote: | There are a lot of valid usecases for clipboard saving, I | don't have an iOS app but I run CopyClip which would be kinda | ruined by this "feature". | remmargorp64 wrote: | Then there should be a setting that has to be manually | approved to allow the clipboard interactivity feature. | | I use a password manager on my iPhone and I am copying and | pasting my passwords all the time. If some random app is | scraping my clipboard silently and sending the data to a | third party, that means my passwords are compromised. I am | very much NOT OK WITH THIS. | | Keep in mind, this permission should be fundamentally | different than the permissions for just manually copying | and pasting. I don't want to have to deal with permissions | to "allow clipboard use" that I have to approve every time | I want to paste something. That would be obnoxious. I am | only worried about restricting permissions for invisible | passive snooping. | beamatronic wrote: | Why does any app have access to the clipboard? Seems like a big | security hole. | csa wrote: | In order to know when you should enable the paste option. | | It can be an elegant design choice, but also a design choice | that appears to be or is an abuse of privacy. | beamatronic wrote: | I should be able to paste into specific GUI elements that | allow pasting. The application presenting the GUI element to | me should be blind to whether I typed that data, or pasted it | into there. | landryraccoon wrote: | Couldn't IOS just have a peek API that tells the application | if the clipboard is empty or not without revealing it's | contents? | RandallBrown wrote: | They've had one for several years. | | https://developer.apple.com/documentation/uikit/uipasteboar | d... | [deleted] | m0xte wrote: | Perhaps the destination should define whether or not you can | paste into it and the OS can provide that option instead. | This looks like a violation of "tell, don't ask". | ycombonator wrote: | Chinese Communist Party [1] [1] https://www.vox.com/open- | sourced/2019/12/16/21013048/tiktok-... | makecheck wrote: | Perhaps there should be a separate security level for "access | whatever was just Copied in the last 4 seconds, if the only other | action taken was to switch to the app requesting the clipboard". | Almost any app could clear that bar, since under those conditions | it probably means "user grabbed something and wants to use it | here". | | What is the use case for "read whatever was copied from anywhere | for any reason at any time"? If there is one (e.g. full-fledged | word processor maybe), that should _still_ be a separate | entitlement and require a higher bar, e.g. extensive app review. | mobilio wrote: | hm... seems that privacy issue: https://developer.apple.com/app- | store/review/guidelines/#pri... can led to ban from AppStore | dan-robertson wrote: | Fortunately for tiktok, such rules only apply to small apps. | They will probably get a polite phone call from a VP asking | them to please stop doing that but noting more. | riskable wrote: | Oh yes! Please! I have wild fantasies about TikTok being banned | like that. | | "Why was TikTok banned?" | | "Because the violated the basic capitalistic principal of | existing not to make money but to amass a Nazi-like | ledger/database of every person in the world on behalf of a | nation state." | grecy wrote: | Fairly impressive if true - they must have already gobbled up | tens of millions of passwords and other sensitive data that users | had no idea was being stolen from their clipboard. | radomysisky wrote: | To the coffers of the CCP. | triceratops wrote: | Let's be real. Is anyone honestly surprised? | rhizome wrote: | "Surprise" is not a good standard for concern. | avh02 wrote: | Depends on what you're doing, driving or flying - you don't | want surprises, they'd definitely be concerning. Privacy too | in my opinion. | ferest wrote: | running old app on new OS can cause unpredicted behavior is | normal, and here is assuming it is not iOS14 bug | RandallBrown wrote: | iOS 14 added this feature (the clipboard notification) to catch | this type of behavior. | | It's _possible_ that TikTok isn 't doing anything and this is a | bug, but it's more likely they're using the clipboard in a way | they shouldn't. | thekyle wrote: | It does make me wonder how many apps on Android also do this and | go completely undetected. Hopefully Google adds something | similar. | harpastum wrote: | It looks like there could be a reasonable explanation for this. | There are apps that have different behavior whether or not there | is text in the clipboard (e.g. enabling a "paste" button), and | they're only checking that the text exists, not what it is. | There's a new API that will let devs do that without triggering | the user notification. | | If TikTok is actually constantly loading the clipboard, that's | obviously terrible. I'd bet this behavior is gone by the next | release, and that shows how useful this new notification is. | | Same issue with notes from that app's developer saying what's | going on and how they will fix it: | https://twitter.com/ecormany/status/1275903947899797505 | brundolf wrote: | > There are apps that have different behavior whether or not | there is text in the clipboard (e.g. enabling a "paste" button) | | People keep saying this but I've _never_ seen one of these app- | specific paste widgets. And even if I did, I wouldn 't miss it | in the slightest for the sake of not allowing _every app to be | reading my clipboard at all times_. | | It's inexcusable to me that there isn't a permissions prompt | for this. Two of my most common types copy-pasted strings are | URLs and _passwords_. | jborichevskiy wrote: | > I've never seen one of these app-specific paste widgets | | IIRC having an address (or address-looking string) in your | clipboard will cause it to show up as the first result on the | search screen in Google Maps. | pininja wrote: | Is the "Link you copied" feature in new tab of iOS google | chrome one of these? | | As well as the "Address you copied" iOS Google Maps search | field feature? | Ptrulli wrote: | Do most of these apps mention this in their privacy terms? I | would imagine it's somewhere in there, but who has the time to | read all of that. This reminds me of HEY.com Apple is following | suit in terms of notifying the user on privacy... | speedyapoc wrote: | I know there are a few apps which will check the clipboard in | order to provide functionality to the user. For example, some | shipping apps will check the clipboard to see if the user has a | copied tracking code and if so, ask the user if they want to | track their copied code. | | Not sure if TikTok does something similar, but there are | certainly innocent reasons for checking the clipboard. | reaperducer wrote: | I use a shipping app that does that. Doesn't the shipping app | know when it's newly in focus, and shouldn't it only then check | the clipboard, not constantly check? | | FWIW, the one I use only checks once -- upon startup. It's | sometimes annoying that I have to kick it out and re-launch if | I've copied a tracking URL from e-mail after the delivery | tracking app is already open, but now that I know that's the | price of privacy, I'm perfectly OK with it. | derimagia wrote: | I know in some apps when logging in with a TOTP (2-factor auth | code) it scans your clipboard for it. | | I believe Slack was one of these. I thought it was useful at | the time. | radomysisky wrote: | Should we still be giving the benefit of the doubt to a | Chinese-owned honeypot in 2020? | sgjohnson wrote: | Absolutely not. | tempestn wrote: | You'd think if the user knew to copy a tracking code into their | clipboard, they could also paste it into the appropriate field | without the app needing to extract it for them. | | Edit: fair responses, all. You've convinced me. | mkenyon wrote: | I mean, sure, you're technically correct, but you're missing | the point. For just one example, it's so heckin' convenient | when an app recognizes that you have a 2FA token in your | clipboard copied from your 2FA app and "pastes" it for you | automatically. | the_pwner224 wrote: | Not having to paste is very useful. Especially on mobile | where pasting is slow and tedious. | | A few months ago I would have said the same thing as you, but | then I experienced some applications which looked at what I | had copied and automatically did all the hard work. It's a | pleasant surprise to see it happen, and having experienced | it, I am happy that the applications have this functionality. | | Of course if you're living in a world where all the code on | your device is considered hostile, then you may not want | this. But I use almost only free software and there you can | generally start with a presumption of goodwill instead of | starting with a feeling of distrust, like with TikTok. | jdminhbg wrote: | Yes, but this is still convenient. For example, Pocket (a | read-it-later service) checks your clipboard when you open | the app. Normally to add a new URL to your reading list, you | need to tap through a menu or two from the front page of the | app. But if it detects your clipboard has a URL on it, it | provides a small one-tap "Add this copied URL to your list?" | button at the bottom of the screen, reducing the friction. | vxNsr wrote: | Appears that a lot of third party apps are just using an older | api that forces this notification to show. a lot less nefarious | than it originally appears. | | Seems that iOS14 offers a specific new API to check if there's | something on the clipboard without actually seeing it which is | what all these apps are trying to do. | SirensOfTitan wrote: | It seems like a ton of apps are abusing this feature: | https://www.youtube.com/watch?v=pRSWdtoUAjo | | I categorize this as another reason why "just trust us," just | isn't acceptable enough when it comes to data privacy and | ownership. Companies just cannot be trusted to treat their users' | data with respect given the option of: profit or privacy. | | (sourced from reddit: | https://old.reddit.com/r/apple/comments/hejb9i/ios14_catches...) | alfalfasprout wrote: | People love to hate on Apple but the fact is, they continue to | release features to better showcase or restrict developers that | abuse your privacy. The "walled garden" also ensures they apply | a ton of checks to apps to better restrict abuses. Sometimes | it's overly sensitive and bad things happen, but in general | it's awesome that over time it becomes harder and harder to get | away with apps blatantly spying on you. ___________________________________________________________________ (page generated 2020-06-24 23:00 UTC)