First it was TikTok, then LinkedIn, Now Reddit.
Yesterday it was LinkedIn that was making the news after being exposed by Apple's iOS 14 new privacy notification feature. The same developer that spotted the LinkedIn app accessing his clipboard data with every keystroke, Don Morton, has also posted a video to Twitter showing the Reddit app exhibiting the same worrying behavior.
The new feature in iOS 14, which has yet to be released to the general public, alerts the user when another app accesses text within the Apple clipboard. The paste notifications, as they are known, have already got one big scalp in the shape of TikTok, although the viral video app was hardly alone.
A total of 53 apps were found to be accessing the clipboard data on startup, but TikTok was dipping into the data with every few keystrokes.
TikTok was quick to respond, letting the world know that it didn't receive or store any clipboard data and the functionality had been disabled in a June 27 app update.
When Morton found LinkedIn also involved in the “every keystroke” capture of clipboard data, it quickly responded by way of Erran Berger, vice president of engineering for consumer products. In a tweet, Berger stated that the code path was performing an "equality check" between the clipboard content and that typed into a LinkedIn text box.
When I approached LinkedIn for an explanation of what that actually means, a spokesperson told me in an email that "equality check is a publicly referenced term, so we don’t have anything to add." Berger did, however, tweet that a fix would go live that stops the behavior.
A Reddit spokesperson told The Verge that it had tracked the behavior down to the "post composer that checks for URLs in the pasteboard and then suggests a post title based on the text contents of the URL." Reddit also said that it neither stores nor sends the pasteboard contents and a fix to the app, removing the relevant code, will be released on July 14.
It is, perhaps, surprising that it has taken so long for these privacy-implicated behaviors to come to the fore with the beta release of iOS 14. Back on February 24, two app developers, Talal Haj Bakry and Tommy Mysk explained how they had discovered location information being leaked through the system pasteboard. "Apple informed us that they don’t see an issue with this vulnerability," the pair said at the time.
One can’t help but wonder which app will get caught dipping into clipboard data next? Maybe now’s the time for every app developer to be checking that they aren’t going to be making the privacy and tech news headlines tomorrow...
I have reached out to both Reddit and Apple for further comment and will update this article if there's anything more to add.
