By Harry McCracken | Friday, December 12, 2008 at 6:19 pm
(NOTE: Jed Schmidt of Pastebud fixed the problem I discuss in this post yesterday night after I notified him about it. It affected only users–such as me–who misconfigured the service. Scroll down for details…)
Yesterday, I waxed enthusiastic about Pastebud, a new copy-and-paste service for the iPhone that gets around Apple’s lack of support for such a feature via a clever end-run that involves transferring text back and forth between Safari and Mail via an online clipboard. I waxed prematurely: I’m using Pastebud, which became available today…and it’s apparently giving me access to strangers’ clipboards.
It’s happening when I try to copy-and-paste from e-mail on my iPhone, which involved forwarding the e-mail you want to copy from to an e-mail address Pastebud gives you. You get an e-mail in return with a link to a Web page. Your e-mail is supposed to await there, ready for you to select part of it for pasting into another e-mail or into a Web form.
But I’m getting text I didn’t send–the complete text of e-mails–such as this (personally identifiable info censored):
And this (an e-mail header in French):
Pastebud’s site addresses security, and says it’s “safe enough” for general use. Based on my experience so far, I think not! But I don’t know if I’m running into some bizarre quirk or doing something wrong, or if this is happening to everyone who’s trying Pastebud as I speak. I just know that I’ve come to the conclusion that using a Web service as a substitute for a feature that should be in a device’s OS may not be such a great idea after all.
By definition, Pastebud’s e-mail-copying feature isn’t anonymous: It copies complete e-mails complete with headers and other personally-identifiable info that’s in those messages, then sends them to a Web page that’s at an arcane URL and gets nuked quickly, but isn’t password-protected. That shouldn’t be a huge problem, assuming you’re the only person who has access to the page. If random other Pastebud users are sent to it when they try to get to their own clipboards, though…problem!
I’m going to attempt to contact the company and see what’s up–and will let you know what I hear.
(Update: Pastebud’s Get Satisfaction forum has reports from other folks who are experiencing this, and a note that the company is working on the problem. Which is good news, but Pastebud is still operational, and is still giving me strangers’ e-mail. Like this one:
And, I would tend to assume, Pastebud is probably giving other people my e-mails I’ve tried to copy…not that they’re all that scandalous.)
(Further update: Pastebud–someone from the company, I mean–got my query and says it’ll follow up.)
(Further further update: I’m talking to Jed Schmidt, the guy behind Pastebud: He’s diagnosing what’s going on. More details to come.)
(Furthest update so far: Jed Schmidt says that he thinks they’ve found the problem. For what it’s worth, I just tried copying an e-mail again. And for the first time, I got my own e-mail rather than somebody else’s.)
(Final update: In the comments, Jed Schmidt says that he’s identified and fixed the problem. It was apparently a security flaw revealed by user error–I and other users were forwarding the e-mails we wanted to copy from to the wrong e-mail address–due, in my case at least, to the fact that Pastebud’s instructions are pretty terse–and ended up with a bizarre collective clipboard. I’ll try to take another look at Pastebud and let you know what I think now that this glitch has been addressed…)