Security Week 27: clipboard privacy in iOS
In this context, the TikTok application was most often discussed last week. The developers of this service reacted in the expected way: this is not a bug, but a feature. A regular clipboard request (not at startup, but constantly when entering text) was implemented to identify spammers posting the same text many times. Antispam will be removed from the application with the following update. Although there is no direct threat to the security of user data, uncontrolled access carries certain privacy risks. By the way, the “news” turned out to be not entirely news: the strange behavior of applications was investigated back in March of this year.
Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification pic.twitter.com/OSXP43t5SZ
– Jeremy Burge (@jeremyburge) June 24, 2020
The video in the tweet above shows the behavior of the TikTok application: when the user types a message, it reads the buffer every time you enter a space or any punctuation mark. In the detailed description of the problem on the ArsTechnica website explained bywhy such application behavior can be dangerous. It is clear that passwords, payment information and other user-sensitive data pass through the buffer. But there is another feature of the Apple ecosystem: if the smartphone is not far from a macOS-based desktop computer, they have a common clipboard. The copied information from the buffer is not erased and remains there until the next operation. It turns out that it is available to developers of popular applications, and if not for the innovation in iOS 14, no one would have known about this behavior.
More precisely, only experts would know. Back in March it was published studyin which several dozen applications with similar behavior are identified. Among those accessing the clipboard, ups from popular media, games, and applications for demonstrating weather forecasts were noticed. Clipboard capture is sometimes used for the convenience of the user: for example, when you log in to your account, a message is sent to you with the code. You copy the code, and it is automatically “picked up” when you return to the application.
But this is completely optional functionality, and it is not entirely clear why ball and golf games have access to the clipboard. Obviously, in all the mentioned applications, reading the buffer was implemented “for the convenience of the user” or, at least, for the convenience of the developers. It is not known what happens next with the copied data. Speaking strictly about malware, the interception of the clipboard is a standard feature for stealing user information, sometimes directly geared towards recognizing and stealing credit card data.
An interesting collision was revealed: the clipboard, by definition, should be accessible to everyone. This is almost the last outpost of freedom and interaction in modern mobile operating systems, where the farther, the stricter the applications are isolated from each other and from user data. But thoughtless access to the buffer, when the user was not going to copy and paste anything, is also not the best practice. It is possible that developers will have to change something in their applications. Otherwise, at least with the release of iOS 14, users will see a lot of the same type of notifications about access to the clipboard.
What else happened
Google Analytics can be used to collect and exfiltrate user data. Expert at Kaspersky Lab parses real attack using analytics service.
Nvidia driver update (version 451.48 for most GeForce graphics cards) closes serious vulnerabilities, including arbitrary code execution.
As promised, here it is – All the useful data i collected from 1.000.000.000 leaked credentials on the internet.
And yes, it includes a wordlist of most common ones too, and it has a% 80 mismatch rate with rockyou.txt.https://t.co/AoXNSydFS1#infosec #bugbounty
– Ignis (@ahakcil) June 24, 2020
Interesting results researching a database of a billion passwords collected from leaks. In total, 168 million unique passwords were obtained. Less than 9% of passwords are present in leaks only once, that is, most passwords are most likely to be reused. Almost a third of passwords are letters and do not contain numbers or special characters.
Article NotPetya’s attack on a shipping company Maersk in 2017 by an IT insider.
In the US Congress goes on discussion of legislation providing for the presence of “backdoors” in encryption systems on user devices. This approach is criticized by cryptography specialists: you cannot weaken the protection only in the interests of law enforcement agencies. The ability to decrypt data using the “secret key” may ultimately be available to everyone.
June 25, Akamai reported to prevent one of the largest DDoS attacks. The article also proposed a new method for measuring attack power: in “packets per second”. This innovation was needed because of the attack properties: each of the attacking systems did not try to “clog” the provider’s channel with traffic, but sent small data packets of only one byte in size. At the same time, garbage requests were sent with high intensity: up to 809 million requests per second.
The database of 40 million login-phone pairs in the Telegram messenger got into open access. Among the users who entered the user base, 30% are from Russia. Most likely, the database was compiled by abusing the standard messenger functionality that allows you to find users by phone number, if it is recorded in the address book.