Friday, 10 July 2020

TikTok is start of clipboard horror story
There’s a snowballing story about apps that copy your phone or tablet clipboard contents and it begins with TikTok.
TikTok, which collects data about its users using mechanisms such as challenges and surveys, late last month was outed specifically over copying information from the clipboard of users phones and tablets. It’s not the only app that does this. According to reports, about 50 have been outed so far. But this was the first and more are likely to follow shortly.
This is serious. Whenever you copy and paste data using the regular copy/paste, it goes via the clipboard which stores data temporarily that we move between applications. There are many circumstances when we might hold very confidential information in the clipboard.
For example, you might write a very confidential and explosive letter in Word, then copy and paste it into a secure encrypted email service such as ProtonMail or Tutanova thinking your correspondence is totally safe, omitting to think that your letter could have been nicked from the clipboard. You might never remember your credit card number, so you copy and paste it via the clipboard onto payment sites. Some cloud-based password safes will conveniently insert your login/password into a login screen by first copying them into the clipboard and pasting them onto a website. The clipboard can store lots of highly sensitive information.
This issue has now come to a head in iOS, the operating system used for iPhones and iPads. Apple has included a safeguard in the upcoming iOS14 version which will tell you when the clipboard is being accessed by an app, so you can monitor this.
The final iOS14 version is not public yet, however developers using an early version of it have detected lots of apps that access the clipboard while they are open, and the first one was TikTok. In a blog post dated June 30, TikTok said it had removed this vulnerability in an app update, but the reasoning as to why TikTok accessed the clipboard is interesting.
TikTok acknowledges that users started getting notifications about TikTok accessing their clipboard when they tried to type comments on a video in the app.
“In this case, we had been working to address the problem of spam and incidents where users sometimes post the same comments on hundreds of videos,” TikTok chief information security officer Roland Cloutier said in a blogpost. “Our technology allowed us to identify users who were copying comments and placing them over and over in the comment section for different videos. We took this as a signal that the user had an agenda, such as promoting themselves to gain followers, or trolling other users. “
He said TikTok rolled out this feature to its iOS app on May 22 but due to the expose, removed it in version 16.1.1 of the TikTok app which appeared in the iOS App Store on June 27. TikTok says it is now using other methods to detect SPAM comments. The full blogpost is here.
The public would not have known about this, without the new iOS14 notification feature which has now outed other apps accessing keystrokes and the clipboard contents including LinkedIn and Reddit. According to reports, both say they will discontinue using the clipboard in this way.
In the end, apps need to access clipboard contents if you are going to paste items to them, but the security around the clipboard needs tightening so that you give specific permission for an app to access the clipboard under specific circumstances. Expect more app outings once Apple’s iOS 14 is in the hands of millions of general users.

No comments:

Post a comment