Pasteboard leaking sensitive information
When we copy/cut text in iOS, it goes in a buffer known as pasteboard. In iOS, pasteboard is a commonplace among all applications. If one application copies data on the pasteboard, other applications can also access it by reading the pasteboard. In iOS, there are three types of pasteboard, which are as follows:
- General pasteboard: Used for generic copy and paste operations
- Find pasteboard: Used for search operations
- Custom pasteboard: Used for application specific copy/cut operations
So, developers should be very careful while allowing sensitive data to be copied. If an application is allowing sensitive data, such as SSN, pin, and so on, to be copied on the pasteboard, then other applications can also access this sensitive information.
Let's follow the given steps to demonstrate pasteboard data leakage vulnerability:
- Start the
ContactDetails.ipa
application and instead of entering the credit card number, paste it as shown in the following screenshot...