Apple's new iOS 14 privacy feature catches LinkedIn copying clipboard contents
A new iOS 14 privacy feature, paste notifications, was recently rolled out to developers. This alerts the user when text copied to the Apple clipboard gets accessed by other apps. It didn't take long for the sticky privacy stuff to hit the fan, truth be told. The biggest furor followed the revelation that TikTok was grabbing the clipboard contents every few keystrokes. TikTok was just one of 53 apps that were reported to be reading users' clipboard content, although the others apparently only did this on startup. TikTok said it neither received not stored any of the data, and a June 27 app update stopped the process.
Now, as first reported by ZDNet, another well-known app has been caught out spying on the clipboard with every keypress: Microsoft-owned LinkedIn.
Don Morton, CEO at career portfolio site builder Urspace, spotted that LinkedIn was accessing his clipboard contents on every keystroke. In a July 2 tweet, Morton said, "I'm on an iPad Pro, and it's copying from the clipboard of my MacBook Pro." In other words, pretty much the same reason that TikTok got called out a week before.
Erran Berger, LinkedIn's vice president of engineering for consumer products, was quick to respond with an explanatory tweet of his own. Berger said that this was down to a code path that "only does an equality check" of the contents of the clipboard and the content that was typed into a LinkedIn text box.
I have reached out to LinkedIn to try and find out precisely what that means and will update this article if I get an understandable explanation.
In the meantime, Berger assures users that LinkedIn doesn't "store or transmit the clipboard contents," and that a fix is due to go live in the LinkedIn app, although no date for when this would happen was mentioned.
Morton also wrote an editorial in which he warned that everything from passwords to private crypto keys and credit card numbers go through our clipboards. The thing that scares him most, he wrote, was the fact that "any app has the ability to access the clipboard without permission." Morton points out that apps developed purely to phish information could scrape all the clipboard data possible to find information that could be used in a social engineering attack scenario.
There's no doubt that iOS 14 is already proving to be something of a game-changer with regards to clipboard reading, before it has even launched. But surely more needs to be done: isn't it time that access to the clipboard is treated in the same way as access to contacts, location and so on?
