#jeremyburge | Explore Tumblr posts and blogs

thegeekherald · 5 years ago

Text

TikTok and 53 Other iOS Apps are Spying Your Data

TikTok, a Chinese-owned social media has been a phenomenon. There are at least 800 million users globally and the number keeps rising. Amid its popularity, TikTok accesses some of Apple users’ most private data, which can include passwords. Another 53 apps identified in March are still doing this practice.

This finding has been confirmed by researchers Talal Haj Bakry and Tommy Mysk. On their blog post, they mentioned that these apps are quietly reading users’ clipboard every time the apps are opened. The clipboard is a feature where all the text copied or cut is stored. These apps’ accesses can be dangerous, as user sometimes paste their passwords, messages, and cryptocurrency wallet addresses. It is not clear yet the reason for doing so.

Finding on iOS 14

Alongside the developer beta release of iOS 14, this security concern regains attention. Apple added a novel feature providing a banner warning every time an app reads clipboard contents. Users are appreciating this, exposing apps engaged in this practice and how frequently they do it.

A YouTube video, gaining more than 100 thousand views has demonstrated this finding. When users open an app with this access, a pop-up message on top of the screen will give notification. Check out the video below.

youtube

Among these apps, TikTok gains more attention. A Twitter thread revealed that the apps are reading clipboard data aggressively, unlike any other apps. On the thread, the user mentioned that TikTok is pasting the data every 1-3 keystrokes.

If you have an iOS 14 beta installed on your phone, you can reproduce this finding. For example, you can copy some text from a website. Then, open TikTok and start typing in any text field. A notification will warn you every time an app “pastes” data from your clipboard.

To reproduce: 1. Have something on your clipboard. Eg copy some text from Notes or a website 2. Open TikTok and start typing in any text field 3. You learn from iOS 14 beta each time an app “pastes” – but in this instance I didn’t request it, and none of that text appears in UI

— Jeremy Burge (@jeremyburge) June 24, 2020

Earlier in March, TikTok said it would remove the clipboard-access algorithm in a few weeks. In fact, after more than three months, the app is still spying users’ clipboard data.

List of Apps Spying User’s Clipboard Data

Here’s a list of the other 53 apps:

News

ABC News — com.abcnews.ABCNews

Al Jazeera English — ajenglishiphone

CBC News — ca.cbc.CBCNews

CBS News — com.H443NM7F8H.CBSNews

CNBC — com.nbcuni.cnbc.cnbcrtipad

Fox News — com.foxnews.foxnews

News Break — com.particlenews.newsbreak

New York Times — com.nytimes.NYTimes

NPR — org.npr.nprnews

ntv Nachrichten — de.n-tv.n-tvmobil

Reuters — com.thomsonreuters.Reuters

Russia Today — com.rt.RTNewsEnglish

Stern Nachrichten — de.grunerundjahr.sternneu

The Economist — com.economist.lamarr

The Huffington Post — com.huffingtonpost.HuffingtonPost

The Wall Street Journal — com.dowjones.WSJ.ipad

Vice News — com.vice.news.VICE-News

Games

8 Ball Pool

— com.miniclip.8ballpoolmult

AMAZE!!! — com.amaze.game

Bejeweled — com.ea.ios.bejeweledskies

Block Puzzle —Game.BlockPuzzle

Classic Bejeweled — com.popcap.ios.Bej3

Classic Bejeweled HD —com.popcap.ios.Bej3HD

FlipTheGun — com.playgendary.flipgun

Fruit Ninja — com.halfbrick.FruitNinjaLite

Golfmasters — com.playgendary.sportmasterstwo

Letter Soup — com.candywriter.apollo7

Love Nikki — com.elex.nikki

My Emma — com.crazylabs.myemma

Plants vs. Zombies

Heroes — com.ea.ios.pvzheroes

Pooking – Billiards City — com.pool.club.billiards.city

PUBG Mobile — com.tencent.ig

Tomb of the Mask — com.happymagenta.fromcore

Tomb of the Mask: Color — com.happymagenta.totm2

Total Party Kill — com.adventureislands.totalpartykill

Watermarbling — com.hydro.dipping

Social Networking

TikTok — com.zhiliaoapp.musically

ToTalk — totalk.gofeiyu.com

Tok — com.SimpleDate.Tok

Truecaller — com.truesoftware.TrueCallerOther

Viber — com.viber

Weibo — com.sina.weibo

Zoosk — com.zoosk.Zoosk

Other

10% Happier: Meditation —com.changecollective.tenpercenthappier

5-0 Radio Police Scanner — com.smartestapple.50radiofree

Accuweather — com.yourcompany.TestWithCustomTabs

AliExpress Shopping App — com.alibaba.iAliexpress

Bed Bath & Beyond — com.digby.bedbathbeyond

Dazn — com.dazn.theApp

Hotels.com — com.hotels.HotelsNearMe

Hotel Tonight — com.hoteltonight.prod

Overstock — com.overstock.app

Pigment – Adult Coloring Book — com.pixite.pigment

Recolor Coloring Book to Color — com.sumoing.ReColor

Sky Ticket — de.sky.skyonline

The Weather Network — com.theweathernetwork.weathereyeiphone

The post TikTok and 53 Other iOS Apps are Spying Your Data appeared first on The Geek Herald.

0 notes

ladystylestores · 5 years ago

Text

TikTok and 53 other iOS apps still snoop your sensitive clipboard data

In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users’ most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven’t stopped either.

The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users’ clipboards.

Universal snooping

In many cases, the covert reading isn’t limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard, meaning contents can be copied from the app of one device and pasted into an app running on a separate device.

That leaves open the possibility that an app on an iPhone will read sensitive data on the clipboards of other connected devices. This could include bitcoin addresses, passwords, or email messages that are temporarily stored on the clipboard of a nearby Mac or iPad. Despite running on a separate device, the iOS apps can easily read the sensitive data stored on the other machines.

“It’s very, very dangerous,” Mysk said in an interview on Friday, referring to the apps’ indiscriminate reading of clipboard data. “These apps are reading clipboards, and there’s no reason to do this. An app that doest have a text field to enter text has no reason to read clipboard text.”

The video below demonstrates universal clipboard reading:

youtube

KlipboardSpy: How malicious apps on iPhone and iPad abuse the Universal Clipboard on your Mac.

Back in the news

While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers of people began testing the beta release, they quickly came to appreciate just how many apps engage in the practice and just how often they do it.

This YouTube video, which has racked up more than 87,000 views since it was posted on Tuesday, shows a small sample of the apps triggering the new warning

youtube

iOS14 Catches Apps Spying on Your Clipboard

TikTok in the spotlight

Recent headlines have focused particular attention on TikTok, in large part because of its massive base of active users (reported to be 800 million, with an estimated 104 million iOS installs in the first half of 2018 alone, making it the most downloaded app for that period).

TikTok’s continued snooping has gotten extra scrutiny for other reasons. When called out in March, the video-sharing provider told UK publication The Telegraph it would end the practice in the coming weeks. Mysk said that the app never stopped the monitoring. What’s more, a Wednesday Twitter thread revealed that the clipboard reading occurred each time a user entered a punctuation mark or tapped the space bar while composing a comment. That means the clipboard reading can happen every second or so, a much more aggressive pace than documented in the March research, which found monitoring happened when the app was opened or reopened.

— Jeremy Burge (@jeremyburge) June 24, 2020

In a statement, TikTok representatives wrote:

Following the beta release of iOS14 on June 22, users saw notifications while using a number of popular apps. For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.

TikTok is committed to protecting users’ privacy and being transparent about how our app works. We look forward to welcoming outside experts to our Transparency Center later this year.

On background, a spokesperson said that TikTok for Android never implemented the anti-spam feature.

I sent follow-up questions asking (1) if the TikTok version for Android monitored clipboards for any other reason, (2) if any clipboard text was uploaded from the device, and (3) why TikTok didn’t remove the monitoring as promised in March. The spokesperson has yet to respond. This post will be updated if a reply comes later.

Not just TikTok

In all, the researchers found the following iOS apps were reading users’ clipboard data every time the app was opened with no clear reason for doing so:

News

ABC News — com.abcnews.ABCNews

Al Jazeera English — ajenglishiphone

CBC News — ca.cbc.CBCNews

CBS News — com.H443NM7F8H.CBSNews

CNBC — com.nbcuni.cnbc.cnbcrtipad

Fox News — com.foxnews.foxnews

News Break — com.particlenews.newsbreak

New York Times — com.nytimes.NYTimes

NPR — org.npr.nprnews

ntv Nachrichten — de.n-tv.n-tvmobil

Reuters — com.thomsonreuters.Reuters

Russia Today — com.rt.RTNewsEnglish

Stern Nachrichten — de.grunerundjahr.sternneu

The Economist — com.economist.lamarr

The Huffington Post — com.huffingtonpost.HuffingtonPost

The Wall Street Journal — com.dowjones.WSJ.ipad

Vice News — com.vice.news.VICE-News

Games

8 Ball Pool

— com.miniclip.8ballpoolmult

AMAZE!!! — com.amaze.game

Bejeweled — com.ea.ios.bejeweledskies

Block Puzzle —Game.BlockPuzzle

Classic Bejeweled — com.popcap.ios.Bej3

Classic Bejeweled HD —com.popcap.ios.Bej3HD

FlipTheGun — com.playgendary.flipgun

Fruit Ninja — com.halfbrick.FruitNinjaLite

Golfmasters — com.playgendary.sportmasterstwo

Letter Soup — com.candywriter.apollo7

Love Nikki — com.elex.nikki

My Emma — com.crazylabs.myemma

Plants vs. Zombies

Heroes — com.ea.ios.pvzheroes

Pooking – Billiards City — com.pool.club.billiards.city

PUBG Mobile — com.tencent.ig

Tomb of the Mask — com.happymagenta.fromcore

Tomb of the Mask: Color — com.happymagenta.totm2

Total Party Kill — com.adventureislands.totalpartykill

Watermarbling — com.hydro.dipping

Social Networking

TikTok — com.zhiliaoapp.musically

ToTalk — totalk.gofeiyu.com

Tok — com.SimpleDate.Tok

Truecaller — com.truesoftware.TrueCallerOther

Viber — com.viber

Weibo — com.sina.weibo

Zoosk — com.zoosk.Zoosk

Other

10% Happier: Meditation —com.changecollective.tenpercenthappier

5-0 Radio Police Scanner — com.smartestapple.50radiofree

Accuweather — com.yourcompany.TestWithCustomTabs

AliExpress Shopping App — com.alibaba.iAliexpress

Bed Bath & Beyond — com.digby.bedbathbeyond

Dazn — com.dazn.theApp

Hotels.com — com.hotels.HotelsNearMe

Hotel Tonight — com.hoteltonight.prod

Overstock — com.overstock.app

Pigment – Adult Coloring Book — com.pixite.pigment

Recolor Coloring Book to Color — com.sumoing.ReColor

Sky Ticket — de.sky.skyonline

The Weather Network — com.theweathernetwork.weathereyeiphone

Shortly after the report was published, 10% Happier: Meditation and Hotel Tonight promised to stop the behavior and quickly followed through. TikTik also promised to stop but has never done so, Mysk said. None of the other apps has stopped either, he said.

Clipboard reading done right

In some cases, clipboard reading can make apps much more useful. The UPS iPhone app, for instance, pulls text from the clipboard and in the event the text matches the characteristics of a tracking number, the app prompts the user to track the corresponding package. Google Chrome also pulls text and, in the event it’s a URL, will prompt the user to browse to it. The Pixelmator photo editor reads data only if it’s an image. If it is, Pixelmator will prompt the user to open it for editing. In all three cases, the data reading has a clear use case and is transparent.

TikTok and the other offending apps, by contrast, access the clipboard for no clear reason and with no indication they are doing so. For many apps, it’s hard to see any legitimate performance or usability reason for the access. Mysk said that Apple plans to credit his and Haj Bakry’s research as a catalyst for the new clipboard notification put into iOS 14.

The clipboard reading Haj Bakry and Mysk reported raises concerns that likely extend to those using Android and possibly other operating systems. Mysk said that clipboard reading in Android apps is “even worse” than iOS because the OS APIs are so much more lenient. Until version 10, for instance, Android allowed apps running in the background to read the clipboard. iOS apps, by contrast, can read or query clipboards only when active (that is, running in the foreground).

Mysk said that Apple’s notification feature is a good start but, ultimately, Apple and Google should do more. One possibility is to make clipboard access a standard permission, just as access to a mic or camera is now. Another possibility is to require app developers to disclose precisely what clipboard data is accessed and what the app does with it.

For now, users should remain aware that any data stored in the clipboard—despite it being inconspicuous to the naked eye—can be regularly accessed by apps that in many cases aren’t even installed locally on the device. When in doubt, flush the clipboard data by copying a character, word, or other piece of innocuous data.

Source link

قالب وردپرس

from World Wide News https://ift.tt/3g9sran

#World Wide News

0 notes

kizaki · 5 years ago

Photo

Jeremy BurgeさんはTwitterを使っています「Okay so TikTok is grabbing the contents of my clipboard every 1-3 keystrokes. iOS 14 is snitching on it with the new paste notification https://t.co/OSXP43t5SZ」 / Twitter

0 notes

livesanskrit · 2 years ago

Text

Send from Sansgreet Android App. Sanskrit greetings app from team @livesanskrit .

It's the first Android app for sending @sanskrit greetings. Download app from https://livesanskrit.com/sansgreet

World Emoji Day.

World Emoji Day is an annual unofficial holiday occurring on 17 July, intended to celebrate emoji; in the years since the earliest observance, it has become a popular date to make product or other announcements and releases relating to emoji.

#sansgreet #sanskritgreetings #greetingsinsanskrit #sanskritquotes #sanskritthoughts #emergingsanskrit #sanskrittrends #trendsinsanskrit #livesanskrit #sanskritlanguage #sanskritlove #sanskritdailyquotes #sanskritdailythoughts #sanskrit #resanskrit #worldemojiday #emojiday #emoji #emojis #whatsapp #telegram #facebook #snapchat #signal #socialmedia #emojipedia #jeremyburge #appleiphone #mobilephone #celebratingsanskrit

0 notes

jeremyburge · 8 years ago

Photo

The system-wide volume “HUD” on iOS continues to block video content as you try to watch it in iOS 11 as seen here in the default iOS photos app:

Apps have been taking this into their own hands for a while now and I love this new one from Instagram (shown up top of this post).

Filling the notch on iPhone X, here’s why I like this design:

It’s visible, yet remains out of the way

No one needs to see the time when changing volume

The icons are clear - especially the X next to the speaker for mute

IT DOESN’T BLOCK ANY CONTENT

Well done Instagram team! 👏

Update: apparently Reddit client Apollo did this first:

...and since we're here, take a look at Twitter's version:

Also quite good: Twitter’s volume indicator when playing video. Aligned under the notch. pic.twitter.com/kpJvgg6o4y

— Jeremy Burge (@jeremyburge)

December 20, 2017

More “notch-friendly” designs (including Apollo) were rounded up here by John Vorhees.

#instagram #ios #ui #notch #iphone x

8 notes · View notes

hackernewsrobot · 5 years ago

Text

iOS14 reveals that TikTok may snoop clipboard contents every few keystrokes

https://twitter.com/jeremyburge/status/1275896482433040386 Comments

0 notes

folhadefeira · 6 years ago

Text

Facebook sugere amigos usando seu número de celular para login em duas etapas

O Facebook recomenda que você informe seu número de celular para ativar a autenticação por dois fatores. No entanto, esse telefone não pode ser totalmente escondido do seu perfil: ele pode ser usado para recomendar amigos que tenham você em sua lista de contatos. Tentar manter a privacidade no Facebook é mesmo uma tarefa ingrata.

Como ativar a autenticação de dois fatores no Facebook

Como impedir que anunciantes usem seu número de telefone no Facebook

A situação é meio complicada. O Facebook sugere insistentemente que você coloque seu número de celular no perfil, lembrando que isso é útil para proteger a conta. Se alguém roubar sua senha, precisará também do código enviado por SMS graças à autenticação de duas etapas.

No entanto, há uma opção nas configurações chamada “Quem pode procurar você usando o número de telefone fornecido?”. Ela está configurada para “Todos” por padrão, e pode ser ajustada para “Amigos” ou “Amigos de amigos” — não existe a opção “Somente eu”.

O Facebook diz ao TechCrunch que o recurso é definido para “Todos” por padrão porque isso facilita encontrar pessoas que você conhece. A rede social lembra que isto não é algo novo, e diz: “agradecemos os comentários que recebemos sobre essas configurações e levaremos isso em consideração.”

Facebook usa seu número para sugerir amizades

Antigamente, era possível digitar um número de telefone no campo de busca para encontrar pessoas. Esse recurso foi desativado em 2018, pouco após o escândalo Cambridge Analytica. O Facebook disse na época que golpistas abusaram dessa função, usando-a para coletar dados e formar perfis incluindo nome completo e localização.

No entanto, seu número ainda pode ser usado para encontrar você de outras formas, “como quando alguém carrega suas informações de contato no Facebook usando o celular”, segundo este artigo de ajuda. Ah, e o Messenger permite encontrar pessoas pelo número de celular.

Além disso, como foi revelado no ano passado, o Facebook direciona anúncios usando seu número de celular — mesmo que ele sirva apenas para login em duas etapas. Ensinamos aqui como impedir que anunciantes usem seu telefone no Facebook.

Facebook permite usar 2FA sem pedir seu celular

Felizmente, é possível usar aplicativos de terceiros: você pode obter códigos de login gerados pelo Authy, Google Authenticator ou Microsoft Authenticator. Para saber mais, confira nosso tutorial para a autenticação de dois fatores no Facebook.

Jeremy Burge, da Emojipedia, chamou a atenção para este aspecto do Facebook. Ele nota que o número de celular é “um código de identificação único usado para conectar sua atividade entre todas as plataformas na internet; é por isso que toda startup quer seu telefone”.

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that. pic.twitter.com/zpYhuwADMS

— Jeremy Burge

(@jeremyburge) March 1, 2019

The original FB phone number prompt never mentioned “and more”. It was shown for MONTHS before a link was added in September 2018 clarifying “actually we’ll use this wherever we damn well please” pic.twitter.com/FcOTIZdVf5

— Jeremy Burge

(@jeremyburge) 1 de março de 2019

Com informações: TechCrunch, The Next Web.

Facebook sugere amigos usando seu número de celular para login em duas etapas

O post Facebook sugere amigos usando seu número de celular para login em duas etapas apareceu primeiro em Folha de Feira.

source https://folhadefeira.com/facebook-sugere-amigos-usando-seu-numero-de-celular-para-login-em-duas-etapas/

0 notes

gslin · 6 years ago

Text

移除 Facebook 上的行動電話

Facebook 上的行動電話號碼除了被拿來當作 2FA 的備案外，也被強制分享。更糟的是還被拿來當作廣告的條件：

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS

— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019

This is so crazy: even if you deliberately don't include your mobile number in your Facebook profile, they'll harvest it…

View On WordPress

#2fa #ad #authentication #facebook #factor #mfa #mobile #multi #phone #security #telephone #totp #two #u2f

0 notes

un-enfant-immature · 6 years ago

Text

Facebook won’t let you opt-out of its phone number ‘look up’ setting

Users are complaining that the phone number Facebook hassled them to use to secure their account with two-factor authentication has also been associated with their user profile — which anyone can use to “look up” your profile.

Worse, Facebook doesn’t give you an option to opt-out.

Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.

The recent hubbub began today after a tweet by Jeremy Burge blew up, criticizing Facebook’s collection and use of phone numbers, which he likened to “a unique ID that is used to link your identity across every platform on the internet.”

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS

— Jeremy Burge (@jeremyburge) March 1, 2019

Although you can hide your phone number on your profile so nobody can see it, it’s still possible to “look up” user profiles in other ways, such as “when someone uploads your contact info to Facebook from their mobile phone,” according to a Facebook help article. It’s a more restricted way than allowing users to search for user profiles using a person’s phone number, which Facebook restricted last year after admitting “most” users had their information scraped.

Facebook gives users the option of allowing users to “look up” their profile using their phone number to “everyone” by default, or to “friends of friends” or just the user’s “friends.”

But there’s no way to hide it completely.

Security expert and academic Zeynep Tufekci said in a tweet: “Using security to further weaken privacy is a lousy move — especially since phone numbers can be hijacked to weaken security,” referring to SIM swapping, where scammers impersonate cell customers to steal phone numbers and break into other accounts.

See thread! Using security to further weaken privacy is a lousy move—especially since phone numbers can be hijacked to weaken security. Putting people at risk. What say you @facebook? https://t.co/9qKtTodkRD

— zeynep tufekci (@zeynep) March 2, 2019

Tufekci’s argued that users can “no longer keep keep private the phone number that [they] provided only for security to Facebook.”

Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”

Gizmodo reported last year that Facebook uses that when a user gives Facebook a phone number for two-factor, it “became targetable by an advertiser within a couple of weeks.” And, if a user doesn’t like it, they can set up two-factor without using a phone number — which hasn’t been mandatory for additional login security since May 2018.

Even if users haven’t set up two-factor, there are well documented cases of users having their phone numbers collected by Facebook, whether the user expressly permitted it or not. In 2017, one reporter for The Telegraph described her alarm at the “look up” feature, given she had “not given Facebook my number, was unaware that it had found it from other sources, and did not know it could be used to look me up.”

To the specific concerns by users, Facebook said: “We appreciate the feedback we’ve received about these settings and will take it into account.”

Concerned users should switch their “look up” settings to “Friends” to mitigate as much of the privacy risk as possible.

When asked specifically if Facebook will allow users to users to opt-out of the setting, Facebook said it won’t comment on future plans. And, asked why it was set to “everyone” by default, Facebook said the feature makes it easier to find people you know but aren’t yet friends with.

Others criticized Facebook’s move to expose phone numbers to “look ups,” calling it “unconscionable.”

Alex Stamos, former chief security officer and now adjunct professor at Stanford University, also called out the practice in a tweet. “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads,” he said.

Since Stamos left Facebook in August, Facebook has not hired a replacement chief security officer.

Facebook’s weapon amid chaos and controversy: misdirection

#TechCrunch

0 notes