By Chand Bellur
February 27, 2020 at 1:24 p.m. PDT
- Apple’s copy and paste implementation allows third-party apps to access the pasteboard.
- A malicious, third-party app can gather GPS location data from the pasteboard.
- Apple is aware of the vulnerability, but does not consider it a defect.
Talal Haj Bakry and Tommy Mysk Find Pasteboard Vulnerability
Two iOS developers recently found a security flaw affecting approximately one billion users. Anyone using iOS 13.3 is at risk for having their location or other data accessed by malicious third-party apps.
Talal Haj Bakry and Tommy Mysk recently found and reported a serious defect with the pasteboard in iOS and iPadOS. The flaw allows third-party apps access to the iOS pasteboard.
At first glance, this may not seem like a severe defect, however, photos store sensitive metadata, such as GPS coordinates. Users who copy and paste photos from one app to another are vulnerable to this flaw.
The flaw allows third-party apps to access pasteboard data, even if the user doesn’t paste to the malicious app. In iOS, all apps have access to the pasteboard. Even widgets can access this sensitive data.
According to mysk.com:
“iOS and iPadOS apps have unrestricted access to the systemwide general pasteboard. A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard. Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent.”
Apple Doesn’t Consider Malicious Pasteboard Access to Be a Vulnerability
The software engineering duo submitted documentation to Apple almost two months ago. The Cupertino tech giant replied that the issue is not a defect.
To a certain extent, such a vulnerability may be handled by the App Store itself. App Store submissions undergo technical analysis, as part of the submission process. A malicious app gathering GPS data from the pasteboard could be easily detected. Perhaps Apple is handling this issue, but cannot disclose the process. The company is notoriously opaque about their processes.
It’s also possible that Apple will quietly fix this defect, without crediting the two developers. Apple currently offers a bug bounty for finding security flaws. This discovery certainly merits an award, however, Apple may be reluctant to pay out. Although the company has deep pockets, like most large, multinational corporations, they have a problem with honesty.
In either event, users may want to exercise caution when copying and pasting photos between apps. Most apps allow embedding photos directly from the camera roll. If you’re concerned about this flaw, simply stop using copy and paste. Accessing photos directly from apps is faster and more secure.