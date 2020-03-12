Tommy Mysk

TikTok is no stranger to security concerns. back in January, I reported on a security vulnerability in its communications. This followed multiple complaints over child safety and national security concerns. And now, today, we have a move by U.S. senators to ban the app from all U.S. government devices over espionage fears.

Coincidentally, just as that U.S. move takes place, an unconnected security report has raised yet another concern about the viral video-sharing app. TikTok was not the focus of the report—it is actually into a loophole in Apple’s copy and paste. But it’s a security gap TikTok is making use of, albeit the researchers have no idea why.

Back in February, I covered a new security report that showed how the clipboards on iPhones and iPads are open to exploitation by apps on those devices to access any data a user copies to their clipboard. It’s not a complex vulnerability. If you copy text or data, an active app can see it without you realizing. What’s worse, the researchers told me, “we have also shown how an iPhone or iPad app can eavesdrop on a Mac.”

As I reported before, Apple’s view is that this is the copy and paste function working as normal, but the company has taken flack for the seeming lack of privacy. My guess remains that this security/privacy loophole will addressed in a future update.

And the chance of that update may now have increased, because those researchers are back. “We explored popular iOS and iPadOS apps,” they told me, “investigating whether they access the clipboard and get information from it. Our findings were astonishing. Many popular apps do this very frequently.”

And one of those apps is TikTok. “The logs clearly indicate that TikTok is reading the content of the clipboard whenever it is opened,” the researchers told me, adding “we can’t say for sure what TikTok is doing with the data it has read.”

TikTok is not alone. The researchers name around 50 apps that were tested and found to be reading the clipboard indiscriminately. According to the researchers, “many apps quietly read text found in the pasteboard every time they are opened. Text left in the pasteboard could be just a shopping list, or could be something more sensitive: passwords, account numbers, etc.”

TikTok stands out, though, given its much wider security concerns.

There is no claim being made that TikTok or any of the other apps are actually exfiltrating user data, the likelier explanation is old software libraries. “Perhaps these libraries read the pasteboard,” the researchers said—likely the same libraries in multiple apps. “I assume the publishers of these apps are not aware of it.”

This is about a vulnerability not a report into its exploitation. But the researchers argue the vulnerability should not be there in the first place. it is clear that users are unaware that this is taking place. “Can I see a POC video for this?” I asked. “We will prepare a video and post it,” they told me. Here it is:

Copying and pasting on an iOS device is far less frequent than on a Mac. And so the Universal Clipboard is the real risk, where an iOS app can view data that has been copied on a Mac. As Apple says, “you can copy content such as text, images, photos, and videos on one Apple device, then paste the content on another.”

In their blog, the researchers Talal Haj Bakry and Tommy Mysk explain their methodology for testing apps in detail. Using Apple’s command line tools to monitor app behavior, reading the system log which records pasteboard events.

The researchers ignored apps that only look at the pasteboard for the first time the app is opened, “we include an app that request and reads the content of the system-wide pasteboard every time it’s opened,” they explain, “and consider it to be highly suspicious. There are games and apps that do not provide any UI that deals with text, yet they read the text content of the pasteboard every time they’re opened.”

The researchers also note that although the apps could access any data type on the clipboard, the ones they found were only reading text and ignoring other data.

Again, it has to be stressed that there is no claim there that any of the apps listed are actually snooping on users or doing anything with that data. But the fact the data can be accessed without user awareness is a privacy concern.

Apps should either have specific permission to read the clipboard or such access should be restricted to when a user actively elects to “paste,” or, if not, there should be a user notification that such a system request has been made. “To prevent apps from exploiting the pasteboard,” the researchers say, “Apple must act.”

TikTok and the other apps named should be transparent about their need to read the iOS clipboard or they should remove the functionality now.

In the meantime, be mindful what you copy.

