Every day I read about another outrage being committed by another garbage app that I do not have and would never install on my phone. Why do people need a LinkedIn app? Even if you think that you need LinkedIn, can’t you access your please-spam-me account through your browser? Isn’t it obvious that every closed-source mystery program that you install increases your attack surface? You wouldn't click on an email attachment from a stranger in Russia, so why install an executable from a company that you already know is unethical?
Perhaps not relevant to LinkedIn specifically, but in general people install these apps because they eventually get fed up with the purposefully crippled mobile website badgering them about it. Ever tried to use Yelp or Reddit's mobile websites? Impossible.
If you don't mind seeing the desktop interface, prepend "old" to the domain on any reddit page (i.e. change the domain to old.reddit.com) to bring up the legacy interface. Loads quick and works fine on mobile if you don't mind zooming.
That said, it's ridiculous that this is necessary.
Actually, no, I never have. But if I wanted to wallow in these sewers for some reason, and the mobile sites were unusable, I would use my laptop, or just manage to find some way to survive without them. Installing their apps is out of the question.
Think it's just the app? Hope you don't have your clipboard events enabled in your browser
Edit for those interested:
tl;dr: "asynchronous clipboard API" [0]
Overtly, it's used by shit news sites like WSJ, nytimes, and bloomberg to inject their shit into your clipboard when you copy-paste. A common thing I've noticed is selecting text, copying the text, and then pasting somewhere and seeing a link to the original article instead.
I'm not sure if they're still doing it; there has been several people complaining about this over time [1] [2] [3] [4] [5] [6]. I found this awesome article on the Security StackExchange from 2013 [8].
Also it's not just javascript. You might be forgiven to think that using a command-line interface would spare you. Unfortunately you'd be wrong; mosh, tmux, vi, emacs all support your terminal emulator's clipboard events. [7] [8]
Right. Firefox and Safari (iOS and desktop) haven't implemented the Clipboard.read functionality yet either, only Chrome has and it's only available on use action such as a click or keydown (and not available on touch or scroll events).
But they can copy to your clipboard for you, a lot of services use "Click to copy" features. But reading is much harder.
iOS before 14.0 appears to have allowed apps to read clipboard contents without making that clear to users. Now that you get a notification whenever an app reads the clipboard, it has become fairly clear a lot of apps are reading clipboards constantly. For what… we all wonder.
Thanks for the details. I agree that it’s obnoxious for sites to interfere with copy. But they still can’t read from the clipboard, which is the topic here. And your [8] seems to be about the user deciding to paste unsafe content — totally different issue, isn’t it?
It is at least supposed to be hidden behind a permission. What's the default for that permission though? I sure hope Google^H^H^H^H^H^HMicrosoft^H^H^H^H^H^H^H^H^Hsome evildoer doesn't find a way to override your permission setting. A reset of configuration data after an automatic update might do the trick...
> And your [8] seems to be about the user deciding to paste unsafe content — totally different issue, isn’t it?
Perhaps you are right. I won't claim to fully understand how tty programs work. However:
* `emacs` documentation describes an ability to interact with the user's system clipboard [1].
* `tmux` integrates with the user's system clipboard [2].
* `mosh` apparently caches the user's system clipboard [3].
* `vim` has special registers to represent the user's system clipboard [4] [5].
If the system is using dbus (nearly every Linux based OS), it's pretty easy to do. Here's a python script using GTK to do so [6]. A high level overview of the clipboard is described in the freedesktop specification [7].
I think it's really unfortunate that desktop and CLI software is so insecure.
Of course there are APIs for accessing the clipboard. I probably use Vim’s clipboard registers 300 times a day. None of this has anything to do with closed source programs reading the clipboard without permission. Speculating that somehow an app might “override your permission setting” is not really informative. There might be any number of exploits.
> None of this has anything to do with closed source programs reading the clipboard without permission.
This has everything to do with closed source programs reading the clipboard without permission since there are no permissions involved in desktop operating systems.
Oh, OK. But all of your examples are open source programs. And there is a reason I only run open source programs on the desktop (except maybe for a driver or two, I guess, possibly). I'm not afraid that Vim is scraping my clipboard and selling the contents to an advertising firm. Because it’s not.
