会話

(it's a beta, so I'm not complaining, just...observing in public)

137

The alternative possibility is TikTok stealing what is on my clipboard every single time I type a keystroke. I don't have a way to know for sure. Thought it worth putting out there.

132

659

Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification

0:25

33万回再生済み

午後9:00 · 2020年6月24日Twitter for iPhone

返信先:

さん

To reproduce: 1. Have something on your clipboard. Eg copy some text from Notes or a website 2. Open TikTok and start typing in any text field 3. You learn from iOS 14 beta each time an app “pastes” - but in this instance I didn’t request it, and none of that text appears in UI

432

I’m no expert on this so others will have to weigh in on how to tell if TikTok is reading/using the clipboard without consent or “inspecting” it. I would wonder what why it needs to inspect the clipboard at all, but even moresso to do it every keystroke

引用ツイート

Ed Cormany

@ecormany

· 6月24日

返信先: @jeremyburgeさん

inspecting, but not necessarily grabbing. if what they’re doing isn’t nefarious, there are new APIs that don’t trigger the warning. twitter.com/twolivesleft/s

258

More context about other apps. Interested whether any do it every keystroke, or just on certain actions like this

引用ツイート

Nathan Lawrence

@NathanBLawrence

· 6月24日

返信先: @DaveWoodXさん, @jeremyburgeさん

Outlook checks when you move first responder status to the “To” and “CC” fields most frequently for me, which makes me think it’s doing some kind of prefetching of email addresses you have in the pasteboard to see if it can pull up pictures for them fast enough when you paste in.

151

A few notes on TikTok and clipboard access, because I've yet to see this compiled in one place:

Based on reports from developers, it appears that a number of apps on iOS (and presumably Android?) check the clipboard contents from time to time. Until iOS 14 this happened silently, but now we have an alert. Which is great.

Some apps check for URLs or other content on the clipboard as a feature (eg Apollo for Reddit) to check if it can use the clipboard contents and offer functionality to the user. Other apps don't make the purpose clear (eg Microsoft Teams).

The sticking point seems to be that clipboard access triggers an alert on iOS 14 that the app pasted your clipboard contents. Best it works like this as we (the users) have no way to know what happens next.

We (the users) cannot tell which apps access the clipboard to 'inspect' it to offer features, or which apps access the clipboard to potentially paste + send the contents to a remote server If there is a way to detect what an app does with its clipboard access, I'd love to know

In the case of TikTok, why it needs to check the clipboard (and trigger the alert it is being 'pasted') after every 1-3 keystrokes is odd. It CAN be explained as a potential bad implementation of a framework. Or something more nefarious. No way to know, that I can see?

As an aside: any app can already steal what you type into it, even if you don't hit send. Websites can do it too. It's sneaky and I don't like it, but they can do it (not necessarily legally re: GDPR, but that's another issue) Always assume an app can use what you type into it

The difficulty here is no way to ban an app from having clipboard access. That would be a welcome feature. Or to sandbox the clipboards use per-app, unless permission granted for a single-use external-app paste. Or for access for an hour, day, week, or permanently.

As far as I'm aware, all apps can access the clipboard on macOS, Windows, Android, and iOS without permission. It's been a common feature. The main change now is iOS reporting when an app accesses it (usually after a user presses paste, but not always)

引用ツイート

Liam Forsyth

@liamdforsyth

· 12時間

返信先: @jeremyburgeさん

Yeah surprised it works this way, you’d think your clipboard was something you gave an app, not something they just have access to. Seems weird considering your clipboard could contain something sensitive.

It's a very clever tweak. By telling the user when the clipboard is accessed, they can ignore it if it's just after tapping Paste (good, it did what I asked) But any other time the 'app pasted content from other app' banner shows, users will want to know why

11時間

Oh and for all the comments of "see, THIS is EXACTLY why I never installed TikTok" c'mon now Don't pretend like half of y'all really would be dancing to Renegade on TikTok it if it wasn't for your security concerns

11時間

We all want apps to respect user data. But for those just wanting to dunk on the teens and feel superior about it, and there's no need. We can focus on valid security and privacy concerns without the value judgements around the TikTok demographic.

9時間

Laurence here with the details on this (pre-iOS 14 snitching on apps for clipboard access)

引用ツイート

Laurence Dodds

@LFDodds

· 9時間

返信先: @jeremyburgeさん

Hello Jeremy! So I actually investigated this in March and found out why it's happening, for TikTok and other apps (TLDR: it's a weird and widespread SDK behaviour). At the time, TikTok told me it would stop within a few weeks...

telegraph.co.uk/technology/202

9時間

1. TikTok said it would remove clipboard-access code 'in a few weeks' in Mar 2020. It's been 3 months and it's still there 2. It's possible nothing suss is happening w clipboard data. TikTok says it's just due to the SDK. We have no way to know for sure

引用ツイート

Laurence Dodds

@LFDodds

· 9時間

返信先: @jeremyburgeさん

Hard to confirm it for sure, but FWIW both TikTok and Google (whose SDK it was in this case, according to TikTok) said on the record that no user data was ever sent off device. Supposedly it's just not the way the SDK(s) work. Take that as you will!

8時間

Original research about app access to clipboard data. It's not just TikTok, by a long shot mysk.blog/2020/03/10/pop

8時間

What's interesting in hindsight is most nerds have known apps can access clipboard data since...the 80s? We either didn't think too much about it, or assumed apps wouldn't abuse this without our input I know I never gave it much thought about it until iOS 14 put it in my face.

4時間

引用ツイート

Laurence Dodds

@LFDodds

· 4時間

BREAKING: TikTok says it will stop reading iPhone users' clipboards after an OS update exposed its constant snooping – along with MANY other apps doing the same. Problem: TikTok already promised me in March it would stop within weeks

telegraph.co.uk/technology/202 (cc @Techmeme)

このスレッドを表示

4時間

According to TikTok the clipboard access taking place in March 2020 was a different type of clipboard access to what is going on now (!?) but has said they'll stop doing this too

引用ツイート

Laurence Dodds

@LFDodds

· 4時間

This week, though, @rjonesy and @jeremyburge spotted that TikTok was still at it. The company now says this was a separate feature – but has not yet said how long it has been in place, nor whether it collected any personal data. See our full story here: telegraph.co.uk/technology/202

このスレッドを表示

返信先:

さん

I don't connect with concept of TikTok personally but a lot of other people do. A better solution to this problem would be non-china based implementation of idea itself. Here is one quick tutorial on same

Tiktok React Native clone Interface & styled components

Recreating the Tiktok interface using React Native and styled components. Enjoy and leave your like in the video :) Instagram: https://www.instagram.com/regi...

youtube.com

7時間

The thing with social apps are they’re more about the community than the tech itself. Just cloning won’t give the same result

返信先:

さん,

さん

Microsoft Teams seems to be doing the same... (I saw the prompt earlier but didn’t really understand it!)

Out of interest is that for every keystroke or for certain actions?

他2件の返信

y_kitman

@y_kitman

15時間

返信先:

さん

Remember this is Chinese technology companies

Not. It's apps from big companies. It's literally the same for every big app. You'll see

他2件の返信

返信先:

さん

Here's a test you should run. Create a bitly account if you don't have one and login and create a bitly link for anything, it doesn't matter what it is. Copy that bitly link to your clipboard and repeat what you're doing in that video. Monitor the bitly link for clicks.

𝔄𝔯𝔞𝔡𝔬𝔯

@asculthorpe