
LinkedIn is copying the contents of my clipboard on every keystroke - dondonleroy
https://twitter.com/doncubed/status/1278757106468806656
======
isignal
An explanation from LinkedIn:

[https://twitter.com/eberger45/status/1278843576638570496](https://twitter.com/eberger45/status/1278843576638570496)

\------ Hi @DonCubed . Appreciate you raising this. We've traced this to a
code path that only does an equality check between the clipboard contents and
the currently typed content in a text box. We don't store or transmit the
clipboard contents.

\----------

An example of this is in a library we have open sourced, and you can find the
fix here
[[https://github.com/linkedin/Hakawai/](https://github.com/linkedin/Hakawai/)
([https://github.com/linkedin/Hakawai/pull/161/files/3881de368...](https://github.com/linkedin/Hakawai/pull/161/files/3881de3686e03920e367a508b21664d4a2985e94#diff-8dd7fa9c03c488418eef19eaa4489405)).
We will follow up once the fix is live in our app.

\-----------

~~~
fingerlocks
This should be higher, above all of the mobs teething for vengeance. It’s an
innocuous comparison of text input to the pasteboard to prevent unwanted
autocorrect insertions.[0] Probably the same code used by TikTok too.

the code and and comments are here: [0]
[https://github.com/linkedin/Hakawai/pull/162/commits/c3f8958...](https://github.com/linkedin/Hakawai/pull/162/commits/c3f89585c097863c2017beb2a1774df21ad42da4#diff-8dd7fa9c03c488418eef19eaa4489405L369)

~~~
erikrothoff
Seeing the mob mentality surrounding this is honestly scary. All the top voted
comments have pretty much decided that this is used for nefarious purposes,
with absolutely zero evidence. Same goes for TikTok and the DDG favicon saga
from yesterday. Whatever happened to Occam’s (edit: Meant Hanlon's) razor?

~~~
leokennis
Eh. It’s like I already punched you in the face 9 times. The 10th time I’m
making a punching motion, you’re probably going to duck away. Even if I wasn’t
going to punch you, but instead giving you an ice cream.

If you’re a shitty company (TikTok, LinkedIn) people are going to assume
you’re acting shitty when it looks like you’re acting shitty.

~~~
GordonS
Yeah, it's like _The Boy that Cried Wolf_ \- sure, people shouldn't jump to
conclusions, but if we're shown something enough times it's easy to become
conditioned to a particular expectation.

------
DyslexicAtheist
LinkedIn has a history of acting like a cretin: multiple data breaches, dark
patterns where they don't fix their buggy mobile site and just put up a
disclaimer "problems with the mobile site - download our app" (just so that
they can harvest a wider range of data).

I managed many marketing campaigns on Linkedin over the years and spent
thousands each month on the platform as a corporate user. If you think that
paying for the service you'd be excluded from their shitty ads and get more
granular opt-out features than under a free-subscription model - but nope.

they have literally done nothing to deserve any trust from their users. People
still use it because they tell themselves "I might need it one day when I look
for a job". That's also wrong - if you're doing it right you build good social
connections in the real world because most (if not the only things) you get
from LinkedIn is scams.

The only upside where I find LinkedIn useful is for OSINT purposes. It's very
easy to find all types of people there and get a rough picture how companies
are run (what their employees are working on and what security problems that
might imply) and build what the recruiting industry calls talent-maps
(competiter analysis) which can be useful in infosec for threat & counter-
intel. But it has 0 value for any legitimate purposes (that they advertise the
service for).

~~~
cookiengineer
We were trying to recruit via LinkedIn for our startup but soon realized what
a shitty business model LinkedIn has.

We had to pay around ~5,00EUR for each and every click on "Apply" to our job
posting, which doesn't mean they even filled out the form.

And now, where LinkedIn is full of Indian scammers (not meant in a racist way,
but it is definitely perceived that way) we had costs for a "Local Area"
limited job posting for hundreds of people from India because they seem to use
LinkedIn via proxy.

When we had costs of over 2800EUR for an ad that was displayed less than 8
days, where literally 100% of people were not even from Europe, we decided to
fuck this shit and move on to other platforms.

LinkedIn is absolutely useless. Use University job sites, local meetups
(during non COVID times, of course), or open source projects to identify devs
that actually care about code.

Also, stackoverflow talents is useless. Their "special startup package" of
getting access to the platform for 2500EUR is only for one user, limited per
email and phone number, not allowed to login in parallel. Every job posting
costs additional 400EUR even if nobody applies for it.

You get nothing, as over 90% of people we have actively talked to are not even
looking for a job and never clicked that on any stackexchange platform.

I didn't realize how fucked recruiting is. Srsly, somebody needs to fix this.

~~~
OJFord
> full of Indian scammers (not meant in a racist way, but it is definitely
> perceived that way)

(I'm not Indian but) the non-racist way to say that is 'full of scammers',
since the scammers' nationality has nothing to do with your distaste for their
behaviour.

~~~
sgc
If all your scammers are from one geographical location halfway across the
world, it is fine to refer to it and you shouldn't be shamed for naming it.
Lest we police ourselves into ignorance.

~~~
the_other
Only if you are having a conversation where the demographics of the scammers
has relevance.

In the case of discussing LinkedIn, it doesn’t matter where the scammers are
from. The adjective is redundant in this context.

In this thread, almost any other adjective would have allowed the main meaning
of the sentence to continue uninterrupted (“filthy scammers”, “frustrating
scammers”, “purple scammers”, “fearless scammers”). “Scammers” already
includes a negative connotation. By adding a redundant adjective to an already
pejorative noun, you run the risk of imparting some of that negativity onto
the adjective as well. This easily leads to the perception of racism.

~~~
sgc
I don't agree with that. By giving the unique location you have indicated
there is a big problem that is perhaps more solvable than it would have been
otherwise, since there is a limited group of people, many who are presumably
organized, in a specific location. That is something much easier for LinkedIn
to deal with than a generalized trend to scam the site from around the world,
presumably with a much greater variety of tactics and targets.

------
doctoboggan
You have to imagine the Apple engineers who implemented this new clipboard
notification knew this shitstorm was coming.

~~~
RandallBrown
I'm guessing that's part of the reason they didn't implement a clipboard
permission. It would probably have broken a TON of stuff in weird ways.

I expect to see an actual clipboard permission at some point.

~~~
dewey
Maybe I'm missing something but a clipboard permission seems to be pretty
useless for most apps.

When I want to login I have to paste my password, when I want to paste an
email address into a Linkedin chat I need the clipboard.

So everyone would just grant that permission anyway as it makes a lot of apps
useless without and they'd just continue their harvesting after that. It would
be a very small percentage to selectively enable/disable the clipboard
permissions for certain tasks.

~~~
Vvector
The clipboard is controlled by the OS. When you 'paste' the OS sends the
contents to the app. There is no need for an app to have access to the
clipboard.

~~~
filleduchaos
I'm curious - have you ever actually looked into how clipboards work across
various OSes? Because programmatic clipboard access is the norm pretty much
across the board.

~~~
leppr
Except on the most popular application platform available of today: the web.
Imagine if every website could read your system clipboard at will.

I'm honestly amazed and horrified to learn that smartphone apps on the 2 OSs
have this capability. This capability, used legitimately, can only bring a
very, very slight UX improvement.

At this point, we know smartphone apps exploit any avenue they have to extract
data from their users, regardless of the perceived ethicality of their vendor.
The smartphone vendors more than any others know this. If there's an entity to
direct the blame towards it's Apple and Google for allowing this, when fixing
it on their part would be so trivial.

~~~
filleduchaos
> Except on the most popular application platform available of today: the web.

The web is not an operating system, for goodness' sake. A browser is itself an
application no different from a terminal emulator + shell (which also is
capable of running arbitrary other applications within its context).

> I'm honestly amazed and horrified to learn that smartphone apps on the 2
> OSes have this capability.

Prepare to be even more "amazed" and "horrified": I am willing to bet that
whatever desktop OS/distro you use does the same damn thing (providing apps
with programmatic access to the clipboard or clipboards).

If you don't want other applications to access some data, for heaven's sake
don't put it in what is literally a _shared buffer between applications_.

------
crazygringo
I've used plenty of software before that offers to do something based on
clipboard contents, often when there isn't even anywhere to paste.

E.g. a phone dialer app that asks if you want to dial the number in the
clipboard when you start it, an image editor that asks if I want to create a
new image size the dimensions of the clipboard, a torrenting program that when
I choose to import a torrent automatically grabs it from the clipboard before
I even get the choice to pick another option (though I still can).

I would be very surprised if this wasn't originally part of something like
that, and maybe the feature was removed but the detection function wasn't.

Because if we put down our pitchforks for a second, LinkedIn is owned by
Microsoft, which _also owns a major browser and the world 's most popular
operating system_. Microsoft _sure_ as hell doesn't need to sniff your
clipboard in LinkedIn, if it wanted to do something for nefarious purposes.

Never attribute to malice that which is adequately explained by stupidity.

~~~
catalogia
Negligence from a trillion dollar corporation is a form of malice. They have
the money to audit their products for quality and privacy issues. Instead they
choose to not give a shit unless the media calls them out (and sometimes not
even then.)

~~~
XenophileJKO
I feel like many of the people that has this opinion never worked at a big
company in a big code base. It's probably a poorly coded feature from an
intern that was left in because it had some value but operated in a way it
shouldn't. Nobody is ever going to touch it until something like this happens.
Then someone will go. "Oh shit we better fix this. Tell the product manager
feature x is delayed so we can fix this shit storm."

~~~
catalogia
> _I feel like many of the people that has this opinion never worked at a big
> company in a big code base._

Well you're wrong about that.

> _Nobody is ever going to touch it until something like this happens._

And that's the problem. A problem a company like Microsoft has the cash to
avoid. They could hire more QA staff, but instead they've sacked tons.

Note that malice on the part of the corporation does not necessarily imply any
individual at the corporation had malicious intent, although that can never be
ruled out. Specifically, I am not claiming the intern who wrote the shitty
code and forgot about it had malicious intent. Rather the _organization
itself_ is malicious, because it's a paperclip maximizer.

------
fovc
This is apparently coming from an open-sourced component called Hakawai.

Somebody had to scramble to remove the clipboard code ASAP:
[https://github.com/linkedin/Hakawai/commit/fa7e8497040f5c36e...](https://github.com/linkedin/Hakawai/commit/fa7e8497040f5c36e0fc0a5879acc00f13f902ed)

Edit: Don't do mobile, but seems like it was a hack to distinguish between
text that was pasted and text added by autocorrect

~~~
jml7c5
As I understand, it is closed-source code causing the problem described. Erran
Berger linked to that Hakawai commit as an example of a different, open-source
project under the LinkedIn umbrella that has the same problem.

------
_bxg1
Guess I'm never copying and pasting anything sensitive on my phone ever again.
Still don't understand why clipboard-sniffing isn't behind a permissions flag.

~~~
rkagerer
Well, once upon a time you trusted the code running on your device.

In Chrome on Android, the flag you want is under _Settings | Site Settings |
Clipboard | Ask before allowing sites to read text and images from the
clipboard_ , and I think it's on by default.

~~~
_bxg1
iOS very early-on took on a model of not trusting the software you install on
it, and for good reason. Android and the web followed soon afterward. This is
the expectation today. Doubly so given Apple's chest-beating about privacy.
This clipboard scandal is unacceptable.

~~~
ztjio
Which is the whole point behind giving a notification about it. Clipboard use
is so core and fundamental, literally every app with any kind of entry box
would need to ask ahead or you'd hit that so randomly all the time nobody
would pay any attention to the warning.

The current feature being added allows _this_ to happen, for awareness to be
raised.

To be honest, I'm surprised we haven't heard of more snoopy apps already, but,
I guess that will come when the feature's out of beta.

~~~
cortesoft
Apps wouldn't have to ask ahead for a text entry box.... you just have to only
grant paste read access when a user explicitly chooses to paste by hitting a
button.

------
kmfrk
LinkedIn has had so many privacy disasters over the years, and it's kinda
crazy how we kinda tend to forget most of that eventually. I definitely
wouldn't trust them with much of your data.

------
A4ET8a8uTh0
Very not cool. I am a medium LinkedIn user, but now it is going to be limited
strictly to a PC browser, where I have some control. I just uninstalled it
from my cell. I got caught in the siren song of convenience.

Now how many other apps do this.

~~~
hyko
If someone steals your wallet, my advice is don’t let them drive you to the
airport.

~~~
A4ET8a8uTh0
I hear you, but I do get some value from LinkedIn ( few prospects, interviews
and so on ). In my little corner of the world, it has become defacto online
resume. I stand by my initial reaction. I am not sure I am ready to drop it
altogether.

------
kevsim
My hunch is these things are more boneheaded than nefarious. Probably looking
for URLs to share or something silly like that and just implemented poorly.
Obviously not good for the PR, but say sorry and fix the bug. Luckily this
shouldn't happen much longer once iOS 14 is properly released.

~~~
lostdog
A few years ago, linkedin purposefully changed their notification emails to
have less information so you're forced to log in and read the notification on
their platform. Linkedin is also widely known for when they scraped users
contacts and then spammed them.

Call it incompetence if you want, but there's a certain flavor of evil
incompetence here.

~~~
rkagerer
Facebook (including Messenger) does it too.

There might be a thin guise of "security" (i.e. email isn't a secure place to
send your top-secret inbound message) but I'm inclined to suspect the main
motivation is to drive people back to the platform and drive up their
stickiness metrics.

It's user-hostile.

~~~
justaguyhere
It is not just Facebook and LinkedIn. I've seen this from random small sites.

Some other silly shit that come to mind - having the unsubscribe link after
half/full page of white space, once you click on unsubscribe "give us 24 to 48
hours to remove your email" etc. Really? they need 24 hours to delete (or
change a flag) in the database?

~~~
fennecfoxen
Sometimes it’s some freaky ETL script that runs daily to put your address in a
marketing message integration system. Not that it’s a great excuse, just
usually more than a single flag update.

------
foxfired
One little weird trick I found is to use the browser for websites.

All the limitations I found on web pages that asks me to download the app are
artificial. What is reddit doing that requires an app? What is facebook doing
that requires an app? There is even less reasons now to use the YouTube app.

~~~
stjohnswarts
can't use reddit enhancement suite on mobile browser. however linkedin,
amazon, twitter, etc all work well enough on mobile browser.

~~~
kreetx
Can't speak for others, but LinkedIn's web is annoyingly slow on mobile.

------
lordofgibbons
I thought I was safe if I blocked all of the permissions these apps "require"
like Contacts on Android.

I'm uninstalling this app from my phone now. This isn't acceptable!

------
dang
The TikTok edition:

[https://news.ycombinator.com/item?id=23634138](https://news.ycombinator.com/item?id=23634138)

[https://news.ycombinator.com/item?id=23691190](https://news.ycombinator.com/item?id=23691190)

------
buildbuildbuild
Ever copy and paste sensitive data on your laptop? Clear that clipboard before
using your iPhone.

Apple's Universal Clipboard may share your clipboard across devices.

~~~
_bxg1
You can disable it by turning off "Handoff" in your iOS settings

------
robmiller
One of my hobbies is looking at url strings with GET key/value pairs.
Programmers must forget that they're visible to users. LinkedIn has a search
workflow that shows "origin=TYPEAHEAD_ESCAPE_HATCH" which I've always found
humorous.

~~~
thaumasiotes
> Programmers must forget that they're visible to users.

GET parameters aren't usually visible to users; with the deemphasis of the URL
bar, you'd have to have an incredibly short URL for that to even be a
possbility. Right now I'm looking at

    
    
        https://news.ycombinator.com/reply?id=23717577&goto=item%3Fi .......
    

That's one visible parameter. There's PLENTY OF SPACE for firefox to show the
rest of the URL, but it won't; instead, a bunch of icons are unhelpfully
crammed into the same horizontal layout.

In the larger sense, where users can see the parameters if they intentionally
look for them, despite the fact that they are normally invisible, POST
parameters are just as visible.

~~~
pwg
> That's one visible parameter. There's PLENTY OF SPACE for firefox to show
> the rest of the URL, but it won't; instead, a bunch of icons are unhelpfully
> crammed into the same horizontal layout.

Right click on the "crammed" icon area, pick "customize", and then you can
drag and drop the icons crammed into the space into another bar (or out of the
UI entirely if they are icons for things you never use), which should then
recover much of the lost space.

------
Bedon292
Discord throws the warning every time you tap on the text box.
[https://www.reddit.com/r/discordapp/comments/hfcvbu/is_disco...](https://www.reddit.com/r/discordapp/comments/hfcvbu/is_discord_ios_spying_on_your_clipboard/fvxc74s/)
fixed with a single line change. They were trying to determine if the paste
button should show up or not.

I am curious what LinkedIn is actually doing with the data. Is it being
exfilled somehow? Or is it just doing something in a really dumb way? I don't
trust them at all to not be taking the data, but what purpose does it have?

------
est
This is precisely how Chinese authorities track down activists using apps
without Location data, it was disclosured few weeks ago.

They patiently read user's clipboard data and wait for a picture taken and
copied to clipboard, then extract its EXIF geoloc tags and send the
coordinates to the police.

~~~
ohnope
Mind linking to a news source for this? Curious to read more about it.

~~~
est
I tried but it was lost in my twitter feed.

Damn those non-chronological timelines.

------
maximente
hypothesis: "technology" is largely data collection platforms with thin
veneers on top (social networking, dating, food delivery, etc)

if you agree with that premise, then it's no surprise that every possible
source of data that can be collected upon, will be collected upon.

~~~
dredmorbius
That's a near restatement of Zuboff's Third Law:

 _Every digital application that can be used for surveillance and control will
be used for surveillance and control, irrespective of its originating
intention._

Coined in the early 1980s, in _The Age of the Smart Machine_.

[https://en.wikipedia.org/wiki/Shoshana_Zuboff](https://en.wikipedia.org/wiki/Shoshana_Zuboff)

------
caetris1
Has anyone replicated the issue described by the Twitter user? It's probably
important to verify these kinds of claims before they get upvoted. This looks
and feels like disinformation.

~~~
DyslexicAtheist
why? that is nonsense. they have a history of dark patterns and and are
ignorant despite 2 data breaches.

------
giarc
LinkedIn is actually copying the clipboard while that user types in a
_different_ app.

[https://twitter.com/DonCubed/status/1278757201310388225](https://twitter.com/DonCubed/status/1278757201310388225)

~~~
ob
No, that is the LinkedIn app. It's the messaging dialog (you can see their
custom "send" button at the lower right corner).

~~~
giarc
I might have linked the wrong tweet, but the user says "Here is LinkedIn
copying and pasting from my notes app “Bear”"

------
blackrock
Wasn’t the same thing reported just 2 days ago about TikTok?

And people immediately jumped to the conclusion that TikTok is some evil
company, controlled by the evil China government?

But yet, here, people are giving the benefit of the doubt, that LinkedIn just
made some boneheaded decision without thinking things through.

~~~
perl4ever
I am sure it is true that _some_ people think TikTok is evil, and _some_
people are hesitant to assume the worst about LinkedIn.

On a close reading, I don't think you have actually asserted that any person
is biased or inconsistent...despite your tone that the climate is biased.

What are you really saying?

------
jmann99999
Microsoft Teams does this in the chat box for every keystroke. It says
"Pasting from device" on each press. I filed a RADAR with Apple before the
TikTok report but now I feel stupid.

Apple is doing the right thing. These other companies appear to have the
issue.

------
asplake
Does this recurring problem suggest a missing API?

~~~
anticensor
Make clipboard behave like a channel[+], like GNOME native apps do,
additionally require a standard paste command to paste, then this clipboard
attack will be impossible to conduct.

[+]:A sample pipe might be a good analogy for this behaviour. You cut or copy
the input, send through the sample pipe, and the receiving end unpacks,
receiving itself makes the sample disappear for further use. Multiple samples
could be sent through the pipe, though the pipe should behave in a LIFO, no
sample adding allowed after removal starts, manner if this is desired.

~~~
filleduchaos
GNOME is based on X11, which _very_ much grants programmatic access to the
clipboard to pretty much any application that asks.

Seriously, has anyone complaining about this actually paid any attention to
how clipboards work on their OSes before this?

~~~
anticensor
> to how clipboards work on their OSes before this?

GNOME has a Wayland implementation too, and what I said only applies to GNOME
native apps.

~~~
filleduchaos
GtkClipboard, like many, many other clipboard implementations, provides
programmatic access to applications[0].

I am thus very curious indeed about how a "GNOME native" app differs in this
context.

0\.
[https://developer.gnome.org/gtk3/stable/gtk3-Clipboards.html](https://developer.gnome.org/gtk3/stable/gtk3-Clipboards.html)

------
chrysoprace
The potential of this sort of malicious behaviour always makes me nervous when
I have to copy a password from password managers (generally I'll rely on
Autofill, but when Autofill fails I have to copy my 128+ character passwords).

------
hyko
Illegal _and_ immoral. How can anyone trust these people with personal data
and access to your devices?

We have allowed empires to be built on scummy business practices that are
fundamentally user hostile. We are under no obligation to maintain them.

~~~
mtgp1000
The worst is the implicit social shame when you tell people you would prefer
to use something like signal or telegram to mitigate risk.

This shit is on literally every platform, it's inescapable, and at this point
necessary to participate in society.

~~~
Silhouette
I've actually been reassured by how many of my more thoughtful friends have
appeared on Signal (and other less well-known but more trustworthy tools)
recently. Sure, lots of people are just using something like Zoom or one of
the Facebook-owned privacy invaders, but I get the feeling that with so many
more people relying on these tools for both personal and professional reasons
because of the virus situation, awareness of the issues is at least in moving-
the-needle territory now. It's not much, but it's still progress in the right
direction.

------
DavideNL
Glad Apple added this feature, it seems to work well as it exposes these
issues.

He's typing IN the LinkedIn app though, right? Can apps read the clipboard
when running in the background too?

~~~
behnamoh
Yes they can.

------
thdrdt
When you install software from JetBrains and have the registration key on your
clipboard it will autofill it into the key input field.

There are so many programs using this that it all boils down to trust.

Personally I don't trust LinkedIn so I keep away from them. But in this case
they still might have a valid reason for this.

The fix: be more transparent about why the app is doing it. And the browser/OS
could show a popup every time an app reads the clipboard to make the user
aware of this.

~~~
chillfox
The OS really shouldn't grant apps access to the clipboard until release by
the user in my opinion.

~~~
thdrdt
Well the moment you allow access because you think the app has good intentions
it can misuse it later.

Maybe the popup should not show when the user presses 'paste'. But I believe
awareness is the first step.

~~~
chillfox
I meant the only time an app should be able to get anything out of the
clipboard is when the user specifically uses the OS feature to paste the
content. I don't think apps should ever be allowed to access the clipboard on
their own.

------
queuep
Apple has it's 'rigorous' app approval process, why is this not found in
there? I've gotten rejected for all kinds of stuff. But I guess they are not
doing any quality checks on the apps during this approval process?

Here I've justified the $100 yearly developer fees in that they have this
rigorous checks, but apparently they're not really checking the apps?

This is apple failing us, nothing else.

------
spicymaki
After LinkedIn took the contents of my Contacts and uploaded it. I swore I
would never install it to another mobile device again.

------
greggman3
I'm glad iOS14 is showing this but IMO it's the wrong solution. I know this is
easier said than done but basically the OS should make it impossible for an
app to read the clipboard unless the user chooses "PASTE". I have no idea how
that would work on iOS. It can work pretty well in the browser. I'm not saying
the browser is doing this well, but it is possible for the browser to be made
so only a browser level paste gives the current page/iframe the contents of
the clipboard so you know the user specifically wanted whatever is in the
clipboard passed to that page/app.

------
buzzdenver
Why does a website or app even need access to the clipboard? I would maybe
naively think that the OS could send the characters on the clipboard as if
they were typed quickly, end of story.

~~~
wool_gather
You can copy-paste styled text, images, and other kinds of non-plaintext data,
so it couldn't be implemented quite that simply.

~~~
Nextgrid
I wish this wasn't a feature.

Every time I paste something in iOS Mail it will inevitably get pasted as
"rich" text where I have to put extra effort to clear that formatting (paste
it into a plaintext-only input field, then copy from there).

~~~
buzzdenver
Use Command-Shift-V, but I agree that pasting as plain text should be the
default.

------
K0nserv
I spent some time today looking at the apps that have been reported to read
clipboard data. Details here[0] and here[1].

0:
[https://twitter.com/K0nserv/status/1279041484688424960](https://twitter.com/K0nserv/status/1279041484688424960)

1:
[https://twitter.com/K0nserv/status/1279015057939148801](https://twitter.com/K0nserv/status/1279015057939148801)

------
bipson
Even after all explanations and presented use-cases, I fail to understand how
full reading access to a users clipboard by random third-party apps was ever
considered a good idea - from apps in the background nonetheless! Only in a
world were I, the device manufacturer, write all apps exclusively, maybe.

The moment I draft such a feature my head turns red from all the alarm-bells
going off. I sincerely fail to follow the though process here.

------
yalogin
This is atrocious. LinkedIn isn’t even in for ads.

I wonder if they are using some tracking software and that is doing this. My
guess is every tracking software does it.

------
daniel_iversen
Could they be doing this as a way to detect scrapers? I think Linkedin has
always been a hot target for smart sales tools to scrape for information.

------
zelphirkalt
Considering the abysmal performance of the LinkedIn website and the fact that
sometImes it seems to get stuck in some race condition, causing 100% CPU load,
my guess is, that they do a lot of other shenanigans, not only every
keystroke, but every millisecond. That, or I guess they are farming bitcoins
on my machine sometimes. Not sure which one it is.

I try to visit it as little as possible.

------
nabakin
Could this be a bot detection feature? If a user types something instantly or
pastes a whole comment, good chance it's a bot.

------
dpratt
I’m going to stop referring to these apps as copying the clipboard, and use
the proper and accurate terminology: ‘keylogger’

------
flattone
I deleted linked in. I wish i still had the 'connections' and their kind words
about my work. Beyond that it hs mever done anything for me. Well with the
exception of fooling me into trying to use it and it never being useful

Looking forward to msft/linkedin employess minusing me into oblivion haha

~~~
zimpenfish
I deleted it years ago but then had to reactivate it because job searching was
proving difficult without those contacts. Soon as I've got enough "real"* Go
mileage under my belt, I'll delete it again.

* Remember kids, experience only counts if you've done it for realsies at a job, never mind how long you've actually done it.

------
elktea
Does anyone know if there's a firefox extension to show when a site reads your
clipboard?

------
beervirus
LinkedIn is a website. It works just fine as a website. Why would anyone
install it as an app?

------
swiley
It’s interesting that GNU/Linux apps don’t seem to have this problem even
though there’s limited rather than total curation.

It’s almost like letting the community maintain and control the software
results in better user experience.

~~~
filleduchaos
They do have this _problem_, if you're at all aware of how X11 works.

In fact, Linux literally does not have a built-in system clipboard.

~~~
swiley
Not this problem. The apps can access the clipboard but almost none of the
ones you’ll find in Debian repos are exfiltrating data to a cooperation that
way.

These apps have access to everything and don’t abuse that access.

------
smabie
Can Unix pipes be implemented using a clipboard? Are there any apps that
explore this? Every app is so self contained on mobile that they all become
useless for all but the most trivial or planned for task.

------
mathattack
This is strange given how sanctimonious Weiner was about caring for people.
Maybe the focus on data theft and advertising of why they haven’t improved the
product in a decade.

------
jmakov
So... I can just create an app and take all your private data?

~~~
behnamoh
Not all; unfortunately you can't access previously stored data.

------
palo3
Why do all these social sites do things like this? They know that someone is
going to find out eventually. I guess they just don't care if they get caught.

------
fredfjohnsen
What does the venn diagram look like for [set of people who are crying about
LinkedIn app] & [set of people glad about the GitHub acquisition] ???

------
saos
When I learnt Tik Tok was doing this I immediately said to myself that
LinkedIn is 1000% doing this too. They are awfully sneaky

------
amelius
Wait, is it possible to read the clipboard without an explicit paste action by
the user?

Sounds like the OS is the root problem here.

------
miguelmota
Anyone know if the data is going directly to their servers or the reason
they're doing this on every keystroke?

------
sseneca
how important is it to have LinkedIn? as somebody just starting their career,
I've never really been told to have it but it's as if it's sort of assumed. in
general I don't have other social media, and if LinkedIn isn't that important
then I'd rather not have it, too.

~~~
driverdan
It's nice to have as a resume page. You don't need to use the mobile app or
connect with anyone to use it like that.

As a hiring manager it makes looking at work history easier. I can click
through to companies I don't recognize to learn more about them. Not having a
LinkedIn profile wouldn't be a negative for me, it just makes my life easier.

------
AnanasAttack
I always feared sites would do things like this so I clear the clipboard/fill
it with garbage after usage

------
edoceo
How to discover this kind of activity? Any insight on the technical tools for
this discovery?

------
catalogia
LinkedIn is a subsidiary of Microsoft. I know the title of this post is an
excerpt from a tweet, not a headline, but I think it's generally appropriate
to call out the parent company in cases like this. For instance: _"
Microsoft's LinkedIn app is copying the contents of my clipboard on every
keystroke."_

------
Havoc
And linkedin is probably installed on a hell of a lot of corporate phones...

------
DaniloDias
How's your long July 4th weekend going, linkedin/microsoft?

------
jakeogh
Deliberate problem. Any JS can do it. Fix the browser.

------
rammy1234
why are you surprised ? Did you pay for the service in the first place ? Then
everything you do in their site is valuable. You are the product

------
runawaybottle
Let’s just get this one banned from web apis already.

------
wackget
Apple, make clipboard access a permission already.

------
anticensor
TikTok first, then LinkedIn, then what?

~~~
ixvvqktiwl
I imagine many companies are doing this, only a small number have been caught.
Some of them might yank the code before they get caught.

------
factchecker01
Could it be the apple clipboard.

------
rmrfstar
If you're a multi-billion dollar company with a "government relations" team,
it is better to ask for forgiveness than permission.

If you're a random internet weirdo who uses a public interface in an
unexpected way, you face decades in prison. [1]

[1]
[https://www.wsj.com/articles/SB10001424052748704312104575299...](https://www.wsj.com/articles/SB10001424052748704312104575299111189853840)

~~~
MathCodeLove
I'm not going to create an account with the WSJ just to read that article, but
from the opening paragraph I don't see how it support your claim. It appears
to be talking about something AT&T did?

~~~
staller
If you cannot access the WSJ article, the random internet weirdo has a
Wikipedia page that touches on some of it:
[https://en.wikipedia.org/wiki/Weev](https://en.wikipedia.org/wiki/Weev)

------
leephillips
Every day I read about another outrage being committed by another garbage app
that I do not have and would never install on my phone. Why do people need a
LinkedIn app? Even if you think that you need LinkedIn, can’t you access your
please-spam-me account through your browser? Isn’t it obvious that every
closed-source mystery program that you install increases your attack surface?
You wouldn't click on an email attachment from a stranger in Russia, so why
install an executable from a company that you already know is unethical?

~~~
dmart
Perhaps not relevant to LinkedIn specifically, but in general people install
these apps because they eventually get fed up with the purposefully crippled
mobile website badgering them about it. Ever tried to use Yelp or Reddit's
mobile websites? Impossible.

~~~
thesimon
>Ever tried to use Yelp or Reddit's mobile websites? Impossible

The other day I tried to view a subreddit in Safari. It was literally
impossible, it was claimed to be only available in the app.

~~~
Fwirt
If you don't mind seeing the desktop interface, prepend "old" to the domain on
any reddit page (i.e. change the domain to old.reddit.com) to bring up the
legacy interface. Loads quick and works fine on mobile if you don't mind
zooming.

That said, it's ridiculous that this is necessary.

~~~
rococode
For a super legacy experience, try i.reddit.com

[https://i.reddit.com/](https://i.reddit.com/)

------
pezo1919
Meanwhile as an indie dev I can't sleep because of GDPR... Hah, my shoulder
just started ticking. :>

~~~
jansan
All new laws make it harder for indie devs and benefit the megacorps with
armies of lawyers.

------
alt_f7
Does anyone remember when Linkedin used to upload your entire phone book, no
questions or permissions asked just a few years ago?

That kind of stuff is not beyond them.

