Most Popular In: Cybersecurity
App developers Tommy Mysk and Talal Haj Bakry recently published their research uncovering a major vulnerability with the cut-copy-paste feature on Apple iOS devices.The two developers found that Apple provides apps with the ability to read data stored in the system’s clipboard, officially called Pasteboard on iOS devices.
Have Apple And Google Uploaded A COVID-19 Tracking App To Your Phone? The Facts Behind The Furor
Apple iOS 14: Is Facebook And Google’s Worst Nightmare Coming True?
How Hackers Use An Ordinary Light Bulb To Spy On Conversations 80 Feet Away
Worse, the excuse has now changed.According to TikTok, the issue is now “triggered by a feature designed to identify repetitive, spammy behavior,” and has told me that it has “already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.” In other words: We’ve been caught doing something we shouldn’t, we’ve rushed out a fix.
TikTok also told me that the platform “is committed to protecting users' privacy and being transparent about how our app works." No comment on that one. TikTok added that it “looks forward to welcoming outside experts to our Transparency Center later this year.” When I covered the original TikTok clipboard issue, the company was adamant it was not their problem and related to an outdated library in their app. “The clipboard access issues,” a spokesperson told me, “showed up due to third-party SDKs, in our case an older version Google Ads SDK, so we do not get access to the information through this (presumably they do but we cannot speak to that). We are in the processes of updating so that the third-party SDK will no longer have access.”
TikTok assured me it was being fixed and questioned coverage that suggested this was an issue. “It’s a Google Ads SDK issue,” they assured again in a later email, “so we need to make the change in which version of that SDK we use. TikTok does not get access to the data, but we are updating regardless to resolve it.”
Now Apple’s welcome iOS 14 security and privacy changes have caught them red-handed still doing something they shouldn’t. Something they said was fixed. TikTok isn’t alone—other apps will now need to change deliberate or inadvertent clipboard access. But TikTok is the highest profile and most totemic of the apps caught out, given its prior coverage and wider issues.
The most acute issue with this vulnerability is Apple’s universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: Passwords, work documents, sensitive emails, financial information. Anything.Earlier in the year, when TikTok was first exposed, the security researchers acknowledged that there was no way to tell what the app might be doing with user data, and its abuse was lost in the mix of many others. Now it’s feeling different. iOS users can relax, knowing that Apple’s latest safeguard will force TikTok to make the change, which in itself shows how critical a fix this has been. For Android users, though, there is no word yet as to whether this is an issue for them as well.
“Apple dismissed the risks that we highlighted and explained that iOS already had mechanisms to counter all of the risks,” the researchers told me earlier this week. “But the mechanisms that Apple provided were not effective to protect user privacy.” Following their initial report, they explained, “there was a tremendous public interaction with the topic—not only iOS users, but also Android users demand more restriction and transparency about the apps that use the system-wide clipboard.”
Apple originally dismissed the clipboard vulnerability as an issue, and only provided a fix after significant media coverage of the security research. This latest news shows just how important a fix that will be.
All iPhone users should update to the latest version of TikTok as soon as it’s released—and given it is actively reading your clipboard, you might want to bear that in mind while using the app ahead of that update.