Open Radar

 
Summary:
Users place all sorts of data into their pasteboard, including passwords and other items that should remain secure.  It is trivial for a Mac application (or an iOS app with background capabilities) to frequently poll NSPasteboard for new data, log it, and upload to a server for harvesting.

The new expiration option is irrelevant - the data can be harvested very quickly, before any viable timer runs out.

Users should be prompted to give any application permission to programmatically read NSPasteboard.  Manual pasting shouldn't be impacted.  I think it would also be fine for an application to read NSPasteboard items copied in by the current application.

Steps to Reproduce:
Copy text into the pasteboard.  Watch a monitoring application grab it quickly.  Some commercial applications already do this (like Facebook for iOS which pre-fills URLs into their share field).  Who knows what's happening with the data.

A trivial application example:

@interface AppDelegate ()
@property (nonatomic, strong) NSString *lastPasteboardString;
@end

- (void)applicationDidFinishLaunching:(NSNotification *)aNotification {    
    [NSTimer scheduledTimerWithTimeInterval:1.0 target:self selector:@selector(logPasteboardItem) userInfo:nil repeats:YES];
}

-(void)logPasteboardItem {
    NSString *str = [[NSPasteboard generalPasteboard] stringForType: NSPasteboardTypeString];
    if (![str isEqualToString:self.lastPasteboardString]) {
        NSLog(@"New pasteboard item found: %@", str);
        self.lastPasteboardString = str;
    }
}


Expected Results:
User is prompted to give an application permission to read all items from the pasteboard.

Actual Results:
User isn't prompted to give an application permission to read all items from the pasteboard.

Version:
OS X 10.11

Notes:


Configuration:


Attachments: