“To prevent apps from exploiting the pasteboard,” the researchers say, “Apple must act.”
But the fact the data can be accessed without user awareness is a privacy concern.Īpps should either have specific permission to read the clipboard or such access should be restricted to when a user actively elects to “paste,” or, if not, there should be a user notification that such a system request has been made. The researchers also note that although the apps could access any data type on the clipboard, the ones they found were only reading text and ignoring other data.Īgain, it has to be stressed that there is no claim there that any of the apps listed are actually snooping on users or doing anything with that data. There are games and apps that do not provide any UI that deals with text, yet they read the text content of the pasteboard every time they’re opened.” The researchers ignored apps that only look at the pasteboard for the first time the app is opened, “we include an app that request and reads the content of the system-wide pasteboard every time it’s opened,” they explain, “and consider it to be highly suspicious. Using Apple’s command line tools to monitor app behavior, reading the system log which records pasteboard events.
In their blog, the researchers Talal Haj Bakry and Tommy Mysk explain their methodology for testing apps in detail. As Apple says, “you can copy content such as text, images, photos, and videos on one Apple device, then paste the content on another.” And so the Universal Clipboard is the real risk, where an iOS app can view data that has been copied on a Mac. Here it is:Ĭopying and pasting on an iOS device is far less frequent than on a Mac. “We will prepare a video and post it,” they told me. “Can I see a POC video for this?” I asked. it is clear that users are unaware that this is taking place. But the researchers argue the vulnerability should not be there in the first place. This is about a vulnerability not a report into its exploitation.
“I assume the publishers of these apps are not aware of it.” “Perhaps these libraries read the pasteboard,” the researchers said-likely the same libraries in multiple apps. There is no claim being made that any of the apps are actually exfiltrating user data, the likelier explanation is legacy software libraries. TikTok stands out, though, given its much wider security concerns. Text left in the pasteboard could be just a shopping list, or could be something more sensitive: passwords, account numbers, etc.” According to the researchers, “many apps quietly read text found in the pasteboard every time they are opened. The researchers name around 50 apps that were tested and found to be reading the clipboard.
0 kommentar(er)
