Yet again, the Chinese online fast fashion retailer SHEIN, has come under the scanner after a report revealed that the app periodically accessed the contents of the clipboard on Android devices. The report highlighted SHEIN data stealing process through the user’s clipboard
According to the Microsoft report, an old version of the SHEIN Android application was able to access and read the contents of the clipboard of the Android device.
Moreover, on noting a particular pattern, the SHEIN android app also sent the contents of the clipboard to a remote server.
Though Microsoft researchers did not find any malicious intent behind the clipboard data-stealing procedure, they noted that the step did not help users perform any specific task.
The SHEIN’s Android application in question is available on the Google Play Store and has over 100 million downloads, leading to speculations regarding the company’s clipboard behavior and the risk posed by the app.
SHEIN Data Stealing
In its report, cybersecurity firm Sophos noted that, Zoetop, owner of SHEIN and ROMWE, added some extra codes to its Android shopping app that turned the app to perform tasks similar to a marketing spyware tool. Version 7.9.2 of SHEIN was found to have this code from 2022.
Such perusing of clipboard content is not permitted in the latest Android versions and users are alerted if such activity is detected.
Interestingly, ever since Microsoft’s report revealed SHEIN’s unauthorized access to the user’s clipboard, the app got updated several times.
Google has also added mitigation measures to help users identify apps that have dubious tools in place that breaches security.
Moreover, Sophos has also urged users to pay attention to app privacy violations even if it was vetted and ranked by Google Play.
Accessing the data from the clipboards of over 100 million users raises questions regarding the user’s security and the vulnerability of information such as passwords, usernames, and links shared on the platform.
SHEIN Data Breach, Company Fined $1.9m
However, this is not the first time the fashion e-commerce brand has been accused of mishandling user data.
In 2018, Zoetop was fined $1.9m (£1.69m) for mishandling of a data breach incident where the login details of over 39 million SHEIN account users was stolen. The hackers were able to access sensitive user information that included credit card details, names, emails, and passwords.
According to a BBC report, the company had lied about the severity of the data breach and alerted “only a fraction” of the users who were impacted by the incident.
The report revealed that the leaked information included over 800,000 New York users. The data, which included login credentials, was later found on the dark web.