Universal copy/paste vulnerability

[DogHouseDub]

As I waited in the Denver Airport for a connecting flight, I opened the calendar app on my iPhone (16 Pro running 26.2) and was greeted with the "Allow paste from Safari" dialog box. I clicked "Allow," and a new appointment was pasted into my calendar. To my surprise, the appointment was from a user I didn't recognize for an appointment I didn't make.

Annoying, but easily solved.

More troubling is how my iPhone grabbed someone else's clipboard contents from iCloud? I don't want to overreact, but I have Universal copy/paste on all my devices, and I'm copying sensitive information all the time.

I submitted this to Apple Product Security and was told it is not a security problem.

Has anyone heard of a similar issue?


*FWIW, I doubt that my iCloud account was breached. It is annoyingly secure with hardware 2FA (Yubikey) and 30+ characters of jibberish as a password.

 

[jz0309]

As I waited in the Denver Airport for a connecting flight, I opened the calendar app on my iPhone (16 Pro running 26.2) and was greeted with the "Allow paste from Safari" dialog box. I clicked "Allow," and a new appointment was pasted into my calendar. To my surprise, the appointment was from a user I didn't recognize for an appointment I didn't make.

Annoying, but easily solved.

More troubling is how my iPhone grabbed someone else's clipboard contents from iCloud? I don't want to overreact, but I have Universal copy/paste on all my devices, and I'm copying sensitive information all the time.

I submitted this to Apple Product Security and was told it is not a security problem.

Has anyone heard of a similar issue?


*FWIW, I doubt that my iCloud account was breached. It is annoyingly secure with hardware 2FA (Yubikey) and 30+ characters of jibberish as a password.

I do not recall ever seeing this, but tbh, if I were get a "surprising" request like that, one that I didn't initiate, I'd never say "allow" ...

 

[turbineseaplane]

I've was AirDropped some "interesting" pictures onboard a plane once.

 

[DogHouseDub]

I do not recall ever seeing this, but tbh, if I were get a "surprising" request like that, one that I didn't initiate, I'd never say "allow" ...

When I see those pop-ups, I'm often confused about the context: does "Allow paste from Safari" mean right now, for something on my clipboard? Or is this a general request to change an app-specific setting that allows pasting in the future? If I assume it's the latter, then I click "Allow".

 

[HouseLannister]

When I see those pop-ups, I'm often confused about the context: does "Allow paste from Safari" mean right now, for something on my clipboard? Or is this a general request to change an app-specific setting that allows pasting in the future? If I assume it's the latter, then I click "Allow".

It's allow this instance, not always allow. I get this pop up when I copy a code from my Gmail and then go back to Safari to paste it into the verification box. But it does not remember this and will always re-ask.

 

[Diopter]

This is a very interesting case.

I wonder if what you were "pasting" was a URL to a .ics file - a calendar invitation.

Since it said it was pasting it from Safari, that means whatever it was must have started from there. I assume it wasn't something you copied, so that makes me think it could be from a malicious ad or exploited site which managed to copy the URL to the pasteboard via JavaScript. The category of JavaScript actions that allow copying to the clipboard are normally only allowed by Safari in response to a user action, like tapping on something.

Were you on the airport's Wi-Fi at the time?