[HN Gopher] iOS14 reveals that TikTok may snoop clipboard conten...
___________________________________________________________________
iOS14 reveals that TikTok may snoop clipboard contents every few
keystrokes
Author : georgespencer
Score : 189 points
Date : 2020-06-24 21:34 UTC (1 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| gentleman11 wrote:
| I use bitwarden as my password manager. Out of paranoia, I have
| been logging into Bitwarden only while an empty tab is open in
| case some random website is able to access my keystrokes while I
| use the plugin.
|
| I am a web developer, but I wasn't actually able to find
| information about whether this is a real risk or not last year
| when I began doing it. Can anybody clarify?
| ciarannolan wrote:
| A Yubikey or similar device is a good way to mitigate the
| damage of having your password manager's password stolen.
|
| https://bitwarden.com/help/article/setup-two-step-login-yubi...
| rvz wrote:
| And for Mac users, Touch ID takes this further without any
| devices, dongles or passwords, which 1Password, Dashlane, etc
| already supports.
| riskable wrote:
| The problem is that iOS doesn't differentiate between a call
| that merely checks for the presence of a clipboard entry (e.g.
| so you can enable "Paste" in a menu/submenu) and _actually_
| copying the contents of the clipboard.
|
| The workaround (for legitimate apps) is to simply always keep
| that "Paste" option enabled--even if the clipboard is empty.
| That way you won't freak out your users and only suffer the
| most minor of usability consequences.
|
| Having said that I don't think TikTok has any relevant
| functionality such as enabling a "Paste" option so... Most
| likely nefarious!
| pininja wrote:
| > I don't think TikTok has any relevant functionality
|
| Does pasting text into a video as an annotation require
| "Paste" to be enabled in this way?
| selsta wrote:
| iOS differentiates between this since iOS 10:
|
| https://developer.apple.com/documentation/uikit/uipasteboard.
| ..
|
| Also iOS 14 has new clipboard related APIs to further check
| the content without actually accessing it.
| WrtCdEvrydy wrote:
| this is weird, you usually can't past data from clipboard (part
| of the browser sandbox). copying into the clipboard is free,
| pasting is not.
|
| Edit: This seems to be the app TikTok, not a website.
| moonchild wrote:
| It is a risk. There's an easier solution, though.
|
| about:config -> dom.event.clipboardevents.enabled=false
| hkt wrote:
| I note with interest some commenters with.. interesting.. English
| skills, and also strongly pro-clipboard-scraping views. Funny
| that.
| KaoruAoiShiho wrote:
| Hopefully we can turn this off, this is going to destroy
| usability be very annoying.
| adamhearn wrote:
| You mean so you can snoop from the user without being detected?
| KaoruAoiShiho wrote:
| There are a lot of valid usecases for clipboard saving, I
| don't have an iOS app but I run CopyClip which would be kinda
| ruined by this "feature".
| remmargorp64 wrote:
| Then there should be a setting that has to be manually
| approved to allow the clipboard interactivity feature.
|
| I use a password manager on my iPhone and I am copying and
| pasting my passwords all the time. If some random app is
| scraping my clipboard silently and sending the data to a
| third party, that means my passwords are compromised. I am
| very much NOT OK WITH THIS.
|
| Keep in mind, this permission should be fundamentally
| different than the permissions for just manually copying
| and pasting. I don't want to have to deal with permissions
| to "allow clipboard use" that I have to approve every time
| I want to paste something. That would be obnoxious. I am
| only worried about restricting permissions for invisible
| passive snooping.
| beamatronic wrote:
| Why does any app have access to the clipboard? Seems like a big
| security hole.
| csa wrote:
| In order to know when you should enable the paste option.
|
| It can be an elegant design choice, but also a design choice
| that appears to be or is an abuse of privacy.
| beamatronic wrote:
| I should be able to paste into specific GUI elements that
| allow pasting. The application presenting the GUI element to
| me should be blind to whether I typed that data, or pasted it
| into there.
| landryraccoon wrote:
| Couldn't IOS just have a peek API that tells the application
| if the clipboard is empty or not without revealing it's
| contents?
| RandallBrown wrote:
| They've had one for several years.
|
| https://developer.apple.com/documentation/uikit/uipasteboar
| d...
| [deleted]
| m0xte wrote:
| Perhaps the destination should define whether or not you can
| paste into it and the OS can provide that option instead.
| This looks like a violation of "tell, don't ask".
| ycombonator wrote:
| Chinese Communist Party [1] [1] https://www.vox.com/open-
| sourced/2019/12/16/21013048/tiktok-...
| makecheck wrote:
| Perhaps there should be a separate security level for "access
| whatever was just Copied in the last 4 seconds, if the only other
| action taken was to switch to the app requesting the clipboard".
| Almost any app could clear that bar, since under those conditions
| it probably means "user grabbed something and wants to use it
| here".
|
| What is the use case for "read whatever was copied from anywhere
| for any reason at any time"? If there is one (e.g. full-fledged
| word processor maybe), that should _still_ be a separate
| entitlement and require a higher bar, e.g. extensive app review.
| mobilio wrote:
| hm... seems that privacy issue: https://developer.apple.com/app-
| store/review/guidelines/#pri... can led to ban from AppStore
| dan-robertson wrote:
| Fortunately for tiktok, such rules only apply to small apps.
| They will probably get a polite phone call from a VP asking
| them to please stop doing that but noting more.
| riskable wrote:
| Oh yes! Please! I have wild fantasies about TikTok being banned
| like that.
|
| "Why was TikTok banned?"
|
| "Because the violated the basic capitalistic principal of
| existing not to make money but to amass a Nazi-like
| ledger/database of every person in the world on behalf of a
| nation state."
| grecy wrote:
| Fairly impressive if true - they must have already gobbled up
| tens of millions of passwords and other sensitive data that users
| had no idea was being stolen from their clipboard.
| radomysisky wrote:
| To the coffers of the CCP.
| triceratops wrote:
| Let's be real. Is anyone honestly surprised?
| rhizome wrote:
| "Surprise" is not a good standard for concern.
| avh02 wrote:
| Depends on what you're doing, driving or flying - you don't
| want surprises, they'd definitely be concerning. Privacy too
| in my opinion.
| ferest wrote:
| running old app on new OS can cause unpredicted behavior is
| normal, and here is assuming it is not iOS14 bug
| RandallBrown wrote:
| iOS 14 added this feature (the clipboard notification) to catch
| this type of behavior.
|
| It's _possible_ that TikTok isn 't doing anything and this is a
| bug, but it's more likely they're using the clipboard in a way
| they shouldn't.
| thekyle wrote:
| It does make me wonder how many apps on Android also do this and
| go completely undetected. Hopefully Google adds something
| similar.
| harpastum wrote:
| It looks like there could be a reasonable explanation for this.
| There are apps that have different behavior whether or not there
| is text in the clipboard (e.g. enabling a "paste" button), and
| they're only checking that the text exists, not what it is.
| There's a new API that will let devs do that without triggering
| the user notification.
|
| If TikTok is actually constantly loading the clipboard, that's
| obviously terrible. I'd bet this behavior is gone by the next
| release, and that shows how useful this new notification is.
|
| Same issue with notes from that app's developer saying what's
| going on and how they will fix it:
| https://twitter.com/ecormany/status/1275903947899797505
| brundolf wrote:
| > There are apps that have different behavior whether or not
| there is text in the clipboard (e.g. enabling a "paste" button)
|
| People keep saying this but I've _never_ seen one of these app-
| specific paste widgets. And even if I did, I wouldn 't miss it
| in the slightest for the sake of not allowing _every app to be
| reading my clipboard at all times_.
|
| It's inexcusable to me that there isn't a permissions prompt
| for this. Two of my most common types copy-pasted strings are
| URLs and _passwords_.
| jborichevskiy wrote:
| > I've never seen one of these app-specific paste widgets
|
| IIRC having an address (or address-looking string) in your
| clipboard will cause it to show up as the first result on the
| search screen in Google Maps.
| pininja wrote:
| Is the "Link you copied" feature in new tab of iOS google
| chrome one of these?
|
| As well as the "Address you copied" iOS Google Maps search
| field feature?
| Ptrulli wrote:
| Do most of these apps mention this in their privacy terms? I
| would imagine it's somewhere in there, but who has the time to
| read all of that. This reminds me of HEY.com Apple is following
| suit in terms of notifying the user on privacy...
| speedyapoc wrote:
| I know there are a few apps which will check the clipboard in
| order to provide functionality to the user. For example, some
| shipping apps will check the clipboard to see if the user has a
| copied tracking code and if so, ask the user if they want to
| track their copied code.
|
| Not sure if TikTok does something similar, but there are
| certainly innocent reasons for checking the clipboard.
| reaperducer wrote:
| I use a shipping app that does that. Doesn't the shipping app
| know when it's newly in focus, and shouldn't it only then check
| the clipboard, not constantly check?
|
| FWIW, the one I use only checks once -- upon startup. It's
| sometimes annoying that I have to kick it out and re-launch if
| I've copied a tracking URL from e-mail after the delivery
| tracking app is already open, but now that I know that's the
| price of privacy, I'm perfectly OK with it.
| derimagia wrote:
| I know in some apps when logging in with a TOTP (2-factor auth
| code) it scans your clipboard for it.
|
| I believe Slack was one of these. I thought it was useful at
| the time.
| radomysisky wrote:
| Should we still be giving the benefit of the doubt to a
| Chinese-owned honeypot in 2020?
| sgjohnson wrote:
| Absolutely not.
| tempestn wrote:
| You'd think if the user knew to copy a tracking code into their
| clipboard, they could also paste it into the appropriate field
| without the app needing to extract it for them.
|
| Edit: fair responses, all. You've convinced me.
| mkenyon wrote:
| I mean, sure, you're technically correct, but you're missing
| the point. For just one example, it's so heckin' convenient
| when an app recognizes that you have a 2FA token in your
| clipboard copied from your 2FA app and "pastes" it for you
| automatically.
| the_pwner224 wrote:
| Not having to paste is very useful. Especially on mobile
| where pasting is slow and tedious.
|
| A few months ago I would have said the same thing as you, but
| then I experienced some applications which looked at what I
| had copied and automatically did all the hard work. It's a
| pleasant surprise to see it happen, and having experienced
| it, I am happy that the applications have this functionality.
|
| Of course if you're living in a world where all the code on
| your device is considered hostile, then you may not want
| this. But I use almost only free software and there you can
| generally start with a presumption of goodwill instead of
| starting with a feeling of distrust, like with TikTok.
| jdminhbg wrote:
| Yes, but this is still convenient. For example, Pocket (a
| read-it-later service) checks your clipboard when you open
| the app. Normally to add a new URL to your reading list, you
| need to tap through a menu or two from the front page of the
| app. But if it detects your clipboard has a URL on it, it
| provides a small one-tap "Add this copied URL to your list?"
| button at the bottom of the screen, reducing the friction.
| vxNsr wrote:
| Appears that a lot of third party apps are just using an older
| api that forces this notification to show. a lot less nefarious
| than it originally appears.
|
| Seems that iOS14 offers a specific new API to check if there's
| something on the clipboard without actually seeing it which is
| what all these apps are trying to do.
| SirensOfTitan wrote:
| It seems like a ton of apps are abusing this feature:
| https://www.youtube.com/watch?v=pRSWdtoUAjo
|
| I categorize this as another reason why "just trust us," just
| isn't acceptable enough when it comes to data privacy and
| ownership. Companies just cannot be trusted to treat their users'
| data with respect given the option of: profit or privacy.
|
| (sourced from reddit:
| https://old.reddit.com/r/apple/comments/hejb9i/ios14_catches...)
| alfalfasprout wrote:
| People love to hate on Apple but the fact is, they continue to
| release features to better showcase or restrict developers that
| abuse your privacy. The "walled garden" also ensures they apply
| a ton of checks to apps to better restrict abuses. Sometimes
| it's overly sensitive and bad things happen, but in general
| it's awesome that over time it becomes harder and harder to get
| away with apps blatantly spying on you.
___________________________________________________________________
(page generated 2020-06-24 23:00 UTC)