July 14, 2020
LinkedIn, TikTok, Reddit Capture the Clipboard Content on Each Keystroke
The handy banner alert feature in new operating systems IOS 14 and iPadOS 14 has unveiled that many popular applications access your clipboard without permission and copy its content after every keystroke.
TikTok, Reddit, LinkedIn capture content on every keystroke; Call of Duty, Patreon, Fruit Ninja, Philips Sonicare App, and Google News, and many others do so on the startup.
However, this is just a list of confirmed apps. In theory, any application can get this access without permission. Many of them could be more straightforward in their maliciousness, just appearing to scrape as much clipboard data as possible.
Through multiple Twitter videos shared by @DonCubed, we can see how apps interact with the clipboard every time a key is pressed. The apps can read what’s getting copied on other devices with the same iCloud account since iOS has a Universal Clipboard.
Why Is This So Important?
When you copy something to the clipboard, applications can read the contents of your clipboard without you manually selecting “Paste.”
The clipboard is a trove of sensitive data, such as passwords, card credentials, document information, private crypto keys, links, and pictures that can unveil a lot about the user. Plus, every other content the user copied or cut out from different apps.
Clipboard-invading practice is not unlawful, but it is concerning, and will rightfully make a lot of us nervous about handling sensitive data on our devices. A lot of confronted applications responded to the questions, pointing out the need to “identify repetitive, spammy behavior” or made it look like a bug that was hastily fixed.
Of course, “nobody” stores or transmits the clipboard contents, until proven otherwise. It’s better to ask for forgiveness than permission.
Until iOS 14, this happened silently, but now people have more vision, like with the orange and green dots indicating the use of the microphone and camera, which is excellent news. Additionally, iOS 14 will out all the snooping apps with pop-up notifications. Now the apps would have to ask our permission to track us, which greatly infuriated Facebook and Google.
A great rule of the thumb is simple to learn and understand:
“If companies can overstep their boundaries and invade your privacy ‒ they will.”
What Should We Do To Mitigate The Risk?
If you follow the mantras of cybersecurity, you probably already know about the privacy/comfort trade-off.
Any website offering you a better experience in the application should raise a red flag.
The app will serve you more ads that could have been blocked in the desktop browser and collect more of your data. That’s why so many websites are underdeveloped, and that’s why the push for more people to use the app is so aggressive.
If you can use the website ‒ stay away from the dedicated apps. For example, Facebook website can't monitor your clipboard, but the Facebook app on your phone can.
Now that you are aware, or have been reminded, of this risk, tell your friends and family members to check their clipboards. Perhaps some of them will understand that they indeed have data they would like to keep away from data-hungry apps. I wrote a post about Burger King trying to access your geolocation data for a free burger and went into great detail about Zoom’s privacy and security failures, which could also be helpful for that noble mission.
For those who are worried about clipboard access in the context of password managers, some of them have a “Clear Clipboard” feature that will auto-clear any copied text from the clipboard after 90 seconds.
Better than nothing!
You don’t have to be very smart to know that things are any better on Android. All we can do now is stay alert, and remember that social media platforms are not the only faulty friends that are involved in mining and dining on our data.