Shein's Android App Bug that Transmitted Clipboard Contents to Remote Server
The Microsoft 365 Defender Research Team has recently discovered a privacy issue with an older version of Shein's Android application. Version 7.9.2 of the app, released on December 16, 2021, suffered from a bug that periodically captured and transmitted clipboard contents to a remote server, api-service[.]shein[.]com. The bug has been addressed in the latest version, 9.0.0, released in May 2022.
Shein, a Chinese online fast fashion retailer based in Singapore, has over 100 million downloads on the Google Play Store. Microsoft stated that there was no indication of malicious intent behind the bug, but the function was not necessary for the app's tasks.
The issue highlights the potential risk that clipboard contents can pose to mobile users, who often use it to copy and paste sensitive information, such as passwords or payment details. Attackers could leverage clipboards to collect and exfiltrate useful data. To mitigate these risks, Google has made improvements to Android, including displaying toast messages when an app accesses the clipboard and preventing apps from accessing the data unless it is actively running in the foreground.
Overall, the discovery of the Shein app bug serves as a reminder to mobile users to be cautious when copying and pasting sensitive information and to regularly update their apps to ensure they are using the latest, secure versions.
Thank you for reading our blog. Follow us on social media for more updates and feel free to contact us with any questions or comments. Share with your friends and family. We appreciate your support and look forward to sharing more valuable insights with you.