Slashdot Mirror
Huge iPhone Cut-and-Paste Tool Security Flaw
Harry writes "I'm using Pastebud, the new third-party copy-and-paste solution for the iPhone. It's extremely clever, using a Web-based clipboard to get around the fact that Apple doesn't provide one on the phone. Unfortunately, it seems to be giving users access to e-mails that other Pastebud users send to their clipboards. This has happened to me repeatedly and is being reported by other users in Pastebud's Get Satisfaction support forum. Pastebud is operational and still doing this as I write, even though a message at Get Satisfaction says they're working on the problem."
...well you *ARE* trusting a small, third party entity with your data on the internet. Can you really expect things that are not on storage you monitor yourself to be secure? Furthermore, why can't it just store your clipboard through local storage? Does it really have to put it up online? Do Apple's apps have no way to store and retrieve local data?
Apple really should have this feature built in, but you shouldn't be surprised when your workaround that involves dumping your unencrypted data on a server somewhere has security issues.
(NOTE: Jed Schmidt of Pastebud fixed the problem I discuss in this post yesterday night after I notified him about it. It affected only users-such as me-who misconfigured the service. Scroll down for details...)
Harry,
I've updated this issue over at Get Satisfaction[1], but let me just summarize what exactly was going wrong: you were inadvertently forwarding your emails not to your secret pastebud address, but to the address set as the from address for these emails, which was noreply@pastebud.com.
This happened to other folks too; instead of sending email to secret-random-string@pastebud.com, they were sending to noreply@pastebud.com. And everyone who was doing this ended up sharing the same clipboard.
Anyway, I just wanted to let you know that we've fixed it, and the changed will be live by the morning. You can find more details about the issue here[1].
Thanks again for bringing this to our attention, and let me know if there's anything else you need clarification on.
Jed Schmidt
Founder, pastebud
a message at Get Satisfaction says they're working on the problem
They've already done that.
I suspect they should start working on a solution...
Do you or your partner snore? - Visit www.snoring.com.au
Seems like every few months you hear yet another story about something bad happening because people are replying to or otherwise using a 'noreply' email address. Here's a clue - if you ever send emails to anyone from a 'noreply' address (or some other similar account name), you better make damn sure your servers are configured to not do something bad or stupid when unobservant users actually do reply to it.
I will give them credit for this: *at least* it was noreply at their own domain. Too often, when you hear about this sort of thing, it's because a company did something like sending an email with a return address of 'noreply@donotreply.com' or something like that (where the domain is not their domain, and is a string which could potentially be registered by someone). I remember reading (ok, just found the story again) about a guy who had registered the domain 'donotreply.com' for yucks, and started getting all sorts of stuff like replies from Capital One bank customers, when Capital One sent some emails with the donotreply.com as the domain. (Sadly, the website www.donotreply.com where the guy used to blog about all the emails seems to be down now; wonder what happened to it - probably sunk by a lawsuit, or maybe the guy finally got bored of spending his free time reading thousands of emails).
My God. How fucking horrible are -any- of these solutions?!? This one, a local one, whatever. They're all fucking horrible! All because The Steve says cut-n-paste is not for a touch screen phone. Ye gods. But apparently this is acceptable to the RDF'ed masses. I've read countless blog posts justifying the 'no cut and paste' as being a good idea, anything to require no admission of the fact that it's an ugly stupid and inexcusable UI flaw.
No wait... in ALL this time, Apple still hasn't provided this basic functionality?
I wrote off the iPhone when I learned of the battery problem and haven't paid much attention to it since then. But one thing I expected to see resolved was the clipboard deficiency. I know some of my users were bouncing around happy when an update fixed some sync problem they were having and somehow among those fixes, I thought the clipboard feature was added, but I guess I was wrong.
One thing I find ironic about iPhone is that Apple has somehow managed to restrict the convenience and basic functionality right out of the machine. I won't deny iPhone's extremely enthusiastic fanbase. It is rather incredible. But the coolest thing one user had to show was the zippo lighter. Yes, it looks and acts like a zippo lighter and serves no function at all. (Now when it lights a virtual cigarette on another iPhone, I will be impressed!) But I find it more than a little amazing that Copy and Paste are still not present.
I think, perhaps, I understand why though. Apple may have created a security model that effectively prevents that from working -- even for themselves -- ever. If all apps, as I have read here, are chrooted to themselves and essentially shares nothing with the OS (which is somewhat hard to imagine...sharing nothing with the OS... how about some API code?) then it would seem that while security holes are effectively blocked forever, so too is basic functionality. Are iPhone apps not allowed to talk to a storage device that other iPhone apps are also allowed to talk to? It sounds like "no" since this paste program uses the inter-web to share data between apps. And what? This data isn't encrypted for individual users?