Major Security Flaws Expose Keystrokes of More Than 1 Billion Chinese Keyboard App Users

Due to a serious security flaw, almost one billion users of cloud-based pinyin keyboard applications have had their keystrokes compromised. An interdisciplinary research group at the University of Toronto called Citizen Lab found vulnerabilities in eight of nine widely used apps, making user data susceptible to “nefarious actors.”

These vulnerabilities resulted from improper handling of keystroke data during transmission by the apps. It was discovered that the keyboards on Baidu, Honor, iFlytek, OPPO, Samsung, Tencent (QQ Pinyin), Vivo, and Xiaomi were all deficient. Notably, the only exception was the keyboard from Huawei.

Researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert stated that “these vulnerabilities could allow attackers to completely decipher what users are typing.” This confirms findings from August of last year, when Tencent’s Sogou Input Method was found to have encryption vulnerabilities by the Citizen Lab.

Widespread IMEs (Input Method Editors) like Sogou, Baidu, and iFlytek are affected. Among the issues noted are:

• Tencent QQ Pinyin: Vulnerable to an CBC padding oracle cyberattack that could potentially reveal typed content.
• Baidu IME (Windows): Network traffic can be decrypted, exposing typed text due to a flawed encryption protocol.
• iFlytek IME (Android): Insufficient encryption allows attackers to recover user input.
• Samsung Keyboard (Android): Keystroke data transmitted completely unencrypted.
• Pre-installed Keyboards: Devices from Xiaomi, OPPO, Vivo, and Honor come pre-installed with keyboards from Baidu, iFlytek, and Sogou, inheriting their vulnerabilities.

Due to these flaws, attackers can read user keystrokes and passively intercept them without sending extra information. Fortunately, the Citizen Lab’s responsible disclosure encouraged the majority of developers to resolve the issues by April 1, 2024. But Tencent (QQ Pinyin) and Honor are still the best.

In order to reduce these risks, users are advised to:

• Keep apps and operating systems updated.
• Switch to a keyboard app that processes data entirely on-device.
• Use well-established encryption protocols instead of custom solutions.

Additionally, app stores ought to refrain from geoblocked security updates and let developers ensure encrypted data transfer.

According to the Citizen Lab, possible backdoor concerns may make Chinese app developers reluctant to use Western encryption standards. This might account for their reliance on internal ciphers, which are frequently unreliable.

The researchers expressed concern that because of the vulnerability’s wide scope, the sensitive nature of user-typed data, and its ease of exploitation, state actors who have a history of taking advantage of vulnerabilities like these might conduct mass surveillance.