- The vulnerability can reveal private information such as user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
- KlipboardSpy and KlipSpyWidget take advantage of any cut-and-paste data that is temporarily stored in an iPhone or iPad’s memory.
iPhone and iPad users beware of a vulnerability that arises due to the way Cut-and-Paste feature is implemented in iOS devices. Researchers have discovered these common features can pose a unique security risk, allowing apps to snoop on anything that a user copies and pastes.
What is the flaw?
Demonstrated by a German software engineer, Tommy Mysk, the vulnerability can reveal private information such as user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
To illustrate his concern, Mysk has created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget. Both are designed to highlight how many apps installed on iOS devices can act maliciously and access clipboard data to steal sensitive personal information.
The app and widget take advantage of any cut-and-paste data that is temporarily stored in an iPhone or iPad’s memory.
How did Apple respond?
Apple, in response to his research, does not consider its implementation of ‘cut-and-paste’ as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpost.
Mysk highlights that the best fix for this exploit is to introduce new permission that enables the user to grant access to the pasteboard data - like contacts, location services, and photos - by the app. He further suggests that operating systems should automatically delete location information from photos once they are copied to the pasteboard. This will prevent the leak of GPS coordinates from photos.