On the 8th of July, a couple of iPhone apps were caught copying the contents of phone clipboards and keyboard presses. According to a blog post, LinkedIn had been copying clipboard content from iOS devices with every keystroke. LinkedIn is copying the contents of your clipboard.
This huge invasion of privacy was discovered using a new feature on the iOS 14 beta called the ‘Universal Clipboard Privacy Feature’ (or the UCPF). Not only does this allow copying and pasting between Apple devices but also alerts users if another app has access to their clipboard data. In a tweet, LinkedIn’s Erran Berger (VP engineering) acknowledged the problem and explained the issue and had “traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box”. He also said, “We don’t store or transmit the clipboard contents”.
In a separate report, the same feature revealed that Reddit has similar issues. A video shared by Don Morton, Author of the original blog post, showed that the Reddit app also triggers alerts by the UCPF every time the keyboard was pressed. Reddit said that the issue was down to a code-path that checks for URLs then suggests a post title. “We do not store or send the pasteboard contents. We removed this code and are releasing the fix on 14 July” the spokesperson confirmed.
Morton said in his blog post that he could “easily see phishing apps starting to pop up (if they are not already) with the sole intention to scrape as much clipboard data as possible”. Morton said that users Apple should ask for users’ permission before apps have access to the clipboard. “Google is a big fan of this feature, we’ve seen them use the ‘from your clipboard’ suggestion in apps like Google Search, Maps, etc. I understand that it’s a nice feature to have but the security threat it imposes warrants a notification in my opinion”, he said.
The best advice from a security and privacy perspective is very simple: if you think an app might be copying your clipboard content unknowingly, delete it. Stay safe, folks.