Have you ever copied a password or perhaps even your credit card number on your iPhone in order to easily paste it onto a website form?
If you have, then it’s likely you’ve just exposed that information to a slew of popular iPhone apps.
App developers Tommy Mysk and Talal Haj Bakry recently published their research uncovering a major vulnerability with the cut-copy-paste feature on Apple iOS devices. The two developers found that Apple provides apps with the ability to read data stored in the system’s clipboard, officially called Pasteboard on iOS devices. Furthermore, they discovered that dozens of popular iPhone and iPad apps access this data every time a user opens them.
“We have investigated many popular apps in the App Store and found that they frequently access the pasteboard without the user being aware,” the developers wrote. “Our investigation confirms that many popular apps read the text content of the pasteboard.”
Apps that could read your copied and cut text, or media on your iOS device include social networking apps like TikTok, Viber, and Weib, as well as gaming applications like Plants vs. Zombies Heroes, PUBG Mobile, and Fruit Ninja. Other apps include live sporting events platform Dazn, ecommerce apps AliExpress and Overstock, and the Hotels.com app.
News applications appeared to lead in accessing this data, however. Some of the apps snooping on your clipboard include ABC News, Accuweather, CBS News, CNBC, The New York Times, Fox News, NPR, The Huffington Post, and Vice News. A full list of the offending apps can be found here.
Mysk and Bakry have also provided a video showing how they discovered the loophole.
It should be noted that there is no proof of anything maliciously being done with this information by the apps or the companies that publish them. This report shows that these applications are simply accessing this data without the users’ awareness or permission.
In February, the same app developer team published findings regarding a similar flaw with the iOS pasteboard. They found that GPS location information was leaking to apps which accessed the clipboard. This would happen if a user had copied an image taken by Apple’s default camera app.
According to Mysk and Bakry, Apple informed them that “that they don’t see an issue with this vulnerability.”
With their latest findings, the two are now urging Apple to act.
“It is not clear what the apps do with the data,” they stated. “To prevent apps from exploiting the pasteboard, Apple must act.”