Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type (technologyreview.com)
(Wednesday April 24, 2024 @11:30PM (BeauHD)
from the PSA dept.)
- Reference: 0173632288
- News link: https://it.slashdot.org/story/24/04/24/2337208/almost-every-chinese-keyboard-app-has-a-security-flaw-that-reveals-what-users-type
- Source link: https://www.technologyreview.com/2024/04/24/1091740/chinese-keyboard-app-security-encryption/
An anonymous reader quotes a report from MIT Technology Review:
> Almost all keyboard apps used by Chinese people around the world share a security loophole that [1]makes it possible to spy on what users are typing . The vulnerability, which allows the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups, [2]according to researchers at the Citizen Lab , a technology and security research lab affiliated with the University of Toronto.
>
> These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps -- built by major internet companies like Baidu, Tencent, and iFlytek -- basically account for all the typing methods that Chinese people use. Researchers also looked into the keyboard apps that come preinstalled on Android phones sold in China. What they discovered was shocking. Almost every third-party app and every Android phone with preinstalled keyboards failed to protect users by properly encrypting the content they typed. A smartphone made by Huawei was the only device where no such security vulnerability was found.
>
> In August 2023, the same researchers [3]found that Sogou , one of the most popular keyboard apps, did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. Without TLS, a widely adopted international cryptographic protocol that protects users from a known encryption loophole, keystrokes can be collected and then decrypted by third parties. Even though Sogou fixed the issue after it was made public last year, some Sogou keyboards preinstalled on phones are not updated to the latest version, so they are still subject to eavesdropping. [...] After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn't been updated to the latest version.
[1] https://www.technologyreview.com/2024/04/24/1091740/chinese-keyboard-app-security-encryption/
[2] https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/
[3] https://www.technologyreview.com/2023/08/21/1078207/sogou-keyboard-app-security-loophole/
> Almost all keyboard apps used by Chinese people around the world share a security loophole that [1]makes it possible to spy on what users are typing . The vulnerability, which allows the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups, [2]according to researchers at the Citizen Lab , a technology and security research lab affiliated with the University of Toronto.
>
> These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps -- built by major internet companies like Baidu, Tencent, and iFlytek -- basically account for all the typing methods that Chinese people use. Researchers also looked into the keyboard apps that come preinstalled on Android phones sold in China. What they discovered was shocking. Almost every third-party app and every Android phone with preinstalled keyboards failed to protect users by properly encrypting the content they typed. A smartphone made by Huawei was the only device where no such security vulnerability was found.
>
> In August 2023, the same researchers [3]found that Sogou , one of the most popular keyboard apps, did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. Without TLS, a widely adopted international cryptographic protocol that protects users from a known encryption loophole, keystrokes can be collected and then decrypted by third parties. Even though Sogou fixed the issue after it was made public last year, some Sogou keyboards preinstalled on phones are not updated to the latest version, so they are still subject to eavesdropping. [...] After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn't been updated to the latest version.
[1] https://www.technologyreview.com/2024/04/24/1091740/chinese-keyboard-app-security-encryption/
[2] https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/
[3] https://www.technologyreview.com/2023/08/21/1078207/sogou-keyboard-app-security-loophole/
Gee, I wonder how that happened (Score:2)
by locater16 ( 2326718 )
/s
Word use (Score:2)
by Brett Buck ( 811747 )
Security "flaw"? As it if were some accident?
fdpaiaope lhiadfjs lksfda qjlg lkasd (Score:2)
by backslashdot ( 95548 )
fposa djvoint aeoincow. ampcsaliocjdoi qjrc0iqjvav. hsaoifj fjsf. afds fasf fdoso af wt f apptrpe ca l ja f papivmcnbzxmf rp afjoapqmc admdas cdma camfka!
Take that ya Chinese!
Every Chinese Keyboard App Has a... (Score:2)
by Raistlin77 ( 754120 )
...hidden function that sends all keystrokes to malicious actors. FTFY
They found one phine (Score:2)
by hdyoung ( 5182939 )
That was actually secure? The intelligence establishment will get right on this and fix that problem.
What you say? (Score:2)
I totally did not see this coming. Nope, never in a million years.