According to a blog post by Don Morton, a Twitter user @Doncubed, found that LinkedIn had been copying clipboard content from iOS devices with every keystroke.
“LinkedIn is copying the contents of my clipboard every keystroke. iOS 14 allows users to see each paste notification,” he tweeted. The invasion of privacy was discovered using a new feature on iOS 14 beta called the Universal clipboard privacy feature. Not only does this allow copying and pasting between Apple devices but also alerts users if another app has access that data.
In a later tweet, LinkedIn’s consumer products’ VP Engineering Erran Berger acknowledged the problem and explained the issue and had “traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box.
“We don’t store or transmit the clipboard contents,” he said.
In another report, the same feature revealed that Reddit has similar issues with its app. A video shared by Don Morton showed that the Reddit app also triggers notifications by the Universal Clipboard feature every time the keyboard was pressed.
In a statement to The Verge, Reddit said that the issue was down to a codepath that checks for URLs then suggests a post title.
“We do not store or send the pasteboard contents. We removed this code and are releasing the fix on 14 July,” the spokesperson said.
Morton said in his blog post that he could “easily see “phishing apps” starting to pop up (if they are not already) with the sole intention to scrape as much clipboard data as possible.”
“To me, this is just as bad or even more worrying than the companies that have already been called out for it. For the most part, the companies that have been getting called out have motive to be “good”. I’m just starting to think about companies or apps that have no intention of being good,” he said.
Morton said that users should ask Apple to require permissions for apps to have access to the clipboard.
“Google is a big fan of this feature, we’ve seen them use the “from your clipboard” suggestion in apps like Google Search, Maps, etc. I understand that it’s a nice feature to have but the security threat it imposes warrants a notification in my opinion,” he said.
David Kennefick, product architect at Edgescan, told SC Media UK that very few mitigations currently exist, it seems that practices such as this may have been in place for some time. “From late last year, the US Army was advising that applications from Chinese owned companies should not be installed on work devices, this included the very popular TikTok.”
“The best advice from a security and privacy perspective is very simple: if you suspect an application may be copying your clipboard content unknowingly, delete the application,” he said.
Tom Davison, technical director, international, at Lookout, told SC Media UK that apps are predominantly built with functionality in mind and privacy and security considerations may take second place. While the intent may be honourable, the consequences can be troublesome.
“For consumers it may be an unwelcome surprise, to a regulated business under GDPR, potential data leakage is a serious issue. The problem here is transparency, particularly when an API exposes data without needing user consent. Device manufacturers need to strictly control API access, users should pay attention to privacy policies, and enterprises should use tools to assess and govern compliant app usage,” he said.