Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge iPhone Cut-and-Paste Tool Security Flaw

Posted by timothy on from the a-sircam-you-can-pay-for dept.

Harry writes "I'm using Pastebud, the new third-party copy-and-paste solution for the iPhone. It's extremely clever, using a Web-based clipboard to get around the fact that Apple doesn't provide one on the phone. Unfortunately, it seems to be giving users access to e-mails that other Pastebud users send to their clipboards. This has happened to me repeatedly and is being reported by other users in Pastebud's Get Satisfaction support forum. Pastebud is operational and still doing this as I write, even though a message at Get Satisfaction says they're working on the problem."

4 of 85 comments (clear)

  1. Why does it go to a server, anyway? by The+Amazing+Fish+Boy · · Score: 3, Interesting
    When I first heard of this trick, I thought it was pretty damn clever. But the way I'd imagined it from the headline was that it would use the mailto: pseudo-protocol to paste to Mail, and would use HTML5 client-side database or a cookie of some sort to store it in the browser. My idea was basically three bookmarklets:
    1. Copy: Stores selected text in client-side database or cookie
    2. Paste: Pastes into text field in browser
    3. Paste to Mail: Opens a URL to mailto:replace@this.com?body=$clipboardContents

    Obviously this wouldn't work for copying from Mail to Safari, but I was kind of confused as to when that would come in handy anyway. The trade-off for security would be worth it, and if you really wanted to, you could still do a trip to a server for Mail-to-Safari copying.

    I haven't delved into the bookmarklets yet, so maybe it's not possible for some reason, but does anyone know why they would choose to have it make a trip to the server when it seems like it could be pretty easily avoided?

    1. Re:Why does it go to a server, anyway? by furball · · Score: 2, Interesting
      I have a hunch that Steve is looking for something a lot better than text copy-paste. Copy-paste done correctly is more complicated than you think it is.

      If I copy text, does it copy attributes? Does bold text retains its boldness? Etc.

      What happens when I want to copy an email address from the address book? Am I limited to copying read-only text or read-write text? Why can't I copy a whole address book entry? What happens when I paste the address book entry?

    2. Re:Why does it go to a server, anyway? by Jay+L · · Score: 2, Interesting

      Not sure where you've read the countless defenses of lack-of-cut-and-paste, but Apple doesn't seem to agree. It's on their list; other things were higher on their list. I myself don't care about Exchange-server compatibility, and would MUCH rather have cut-and-paste. I'm sure others have their own personally-improved priority lists.

      I think Apple's done pretty well for an OS that's only 18 months out of the gate. Anything that new is bound to have some of what I call "unconscionably absent" features. I'm looking forward to cut-and-paste.

  2. When will companies learn to disable 'noreply'? by JSBiff · · Score: 4, Interesting

    Seems like every few months you hear yet another story about something bad happening because people are replying to or otherwise using a 'noreply' email address. Here's a clue - if you ever send emails to anyone from a 'noreply' address (or some other similar account name), you better make damn sure your servers are configured to not do something bad or stupid when unobservant users actually do reply to it.

    I will give them credit for this: *at least* it was noreply at their own domain. Too often, when you hear about this sort of thing, it's because a company did something like sending an email with a return address of 'noreply@donotreply.com' or something like that (where the domain is not their domain, and is a string which could potentially be registered by someone). I remember reading (ok, just found the story again) about a guy who had registered the domain 'donotreply.com' for yucks, and started getting all sorts of stuff like replies from Capital One bank customers, when Capital One sent some emails with the donotreply.com as the domain. (Sadly, the website www.donotreply.com where the guy used to blog about all the emails seems to be down now; wonder what happened to it - probably sunk by a lawsuit, or maybe the guy finally got bored of spending his free time reading thousands of emails).