Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users’ keystrokes to nefarious actors.
The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei’s.
The vulnerabilities could be exploited to “completely reveal the contents of users’ keystrokes in transit,” researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert said.
The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified cryptographic flaws in Tencent’s Sogou Input Method last August.
Collectively, it’s estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a huge chunk of the market share.
A summary of the identified issues is as follows –
- Tencent QQ Pinyin, which is vulnerable to a CBC padding oracle attack that could make it possible to recover plaintext
- Baidu IME, which allows network eavesdroppers to decrypt network transmissions and extract the typed text on Windows owing to a bug in the BAIDUv3.1 encryption protocol
- iFlytek IME, whose Android app allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions
- Samsung Keyboard on Android, which transmits keystroke data via plain, unencrypted HTTP
- Xiaomi, which comes preinstalled with keyboard apps from Baidu, iFlytek, and Sogou (and therefore susceptible to the same aforementioned flaws)
- OPPO, which comes preinstalled with keyboard apps from Baidu and Sogou (and therefore susceptible to the same aforementioned flaws)
- Vivo, which comes preinstalled with Sogou IME (and therefore susceptible to the same aforementioned flaw)
- Honor, which comes preinstalled with Baidu IME (and therefore susceptible to the same aforementioned flaw)
Successful exploitation of these vulnerabilities could permit adversaries to decrypt Chinese mobile users’ keystrokes entirely passively without sending any additional network traffic. Following responsible disclosure, every keyboard app developer with the exception of Honor and Tencent (QQ Pinyin) have addressed the issues as of April 1, 2024.