Article Details

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users. Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors. The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei's. The vulnerabilities could be exploited to "completely reveal the contents of users' keystrokes in transit," researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert said. The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified cryptographic flaws in Tencent's Sogou Input Method last August. Collectively, it's estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a huge chunk of the market share. A summary of the identified issues is as follows - Successful exploitation of these vulnerabilities could permit adversaries to decrypt Chinese mobile users' keystrokes entirely passively without sending any additional network traffic. Following responsible disclosure, every keyboard app developer with the exception of Honor and Tencent (QQ Pinyin) have addressed the issues as of April 1, 2024. Users are advised to keep their apps and operating systems up-to-date and switch to a keyboard app that entirely operates on-device to mitigate these privacy issues. Other recommendations call on app developers to use well-tested and standard encryption protocols instead of developing homegrown versions that could have security problems. App store operators have also been urged not to geoblock security updates and allow developers to attest to all data being transmitted with encryption. The Citizen Lab theorized it's possible that Chinese app developers are less inclined to use "Western" cryptographic standards owing to concerns that they may contain backdoors of their own, prompting them to develop in-house ciphers. "Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance," the researchers said. Goodbye, Atlassian Server. Goodbye… Backups? Protect your data on Atlassian Cloud from disaster with Rewind's daily backups and on-demand restores. How to Update and Automate Outdated Security Processes Download the eBook for step-by-step guidance on how to update your security processes as your business grows.