Security vulnerabilities in various cloud-based pinyin keyboard apps have been identified, potentially compromising the privacy of nearly one billion users. Research conducted by Citizen Lab uncovered significant weaknesses in eight of the nine investigated keyboard apps developed by major companies including Baidu, Samsung, Tencent, and Xiaomi. These vulnerabilities could allow malicious actors to decrypt and access the contents of users’ keystrokes while in transit, posing a significant privacy threat. Notably, only Huawei’s keyboard app was found to be devoid of such security flaws.
The specific vulnerabilities vary among the different vendors but share common exploitative potential. For instance, Tencent’s QQ Pinyin was found vulnerable to a CBC padding oracle attack, which could enable attackers to recover plaintext data. Baidu’s IME has a bug in its encryption protocol that allows network eavesdroppers to decrypt network transmissions on Windows devices. Samsung’s keyboard app on Android transmits keystrokes in plain, unencrypted HTTP, making it trivial for attackers to capture this data.
Following the discovery, responsible disclosure practices were adhered to, leading most vendors, except Honor and Tencent, to address and rectify the issues as of April 1, 2024. Users are advised to keep their apps and operating systems updated and to switch to keyboard apps that operate entirely on-device to safeguard their privacy. Additionally, app developers are urged to adopt well-tested, standard encryption protocols rather than relying on in-house developed, potentially flawed versions.
The overarching concern highlighted by Citizen Lab involves the potential mass surveillance of users’ keystrokes facilitated by these vulnerabilities. Considering the sensitivity of the data typically entered on keyboards and the ease of exploitation, the scenario mirrors past instances where similar flaws have been leveraged for surveillance by intelligence agencies. The researchers suggest that the inclination of Chinese developers to avoid Western cryptographic standards, fearing potential backdoors, might have led to the adoption of weaker, homemade encryption solutions
