top of page
  • Voltaire Staff

Nearly all Chinese keyboard apps may be vulnerable to data theft, claims Citizen Lab

Researchers from the Citizen Lab have uncovered a widespread security vulnerability in nearly all keyboard apps used by the Chinese worldwide. The loophole allows malicious actors to potentially spy on users' keystrokes, exposing sensitive data.

The vulnerability, existing for several years, permits intercepted keystroke data transmitted to the cloud, leaving users vulnerable to cybercriminals and state surveillance entities.

These keyboard apps, integral for efficient Chinese character input, are extensively used across devices by the Chinese populace.

The four leading apps, developed by prominent internet entities such as Baidu, Tencent, and iFlytek, encompass the majority of Chinese typing methods.

The research by conducted by the Citizen Lab, a technology and security research institute associated with the University of Toronto, also delved into preinstalled keyboard apps on Android devices marketed in China, revealing alarming results.

According to it, nearly every third-party app and preinstalled keyboard on Android phones exhibited a failure to adequately encrypt user input.

Smartphones manufactured by Huawei emerged as the sole devices devoid of such security vulnerabilities.

An analysis of cloud-based pinyin keyboard apps from nine prominent vendors -- Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi -- unveiled critical vulnerabilities in eight of the apps.

In August 2023, researchers discovered that the Sogou keyboard app, a popular Chinese Pinyin input method editor widely used for typing predictions, didn't use Transport Layer Security (TLS) to protect keystroke data sent to its cloud server. The loophole made it possible for third parties to collect and decrypt users' keystrokes.

TLS IS a cryptographic protocol used to secure communication over a computer network and it ensures that data transmitted between devices is encrypted and protected from malicious activities.

Combining these findings with previous reports on Sogou's keyboard apps, it's estimated that up to one billion users may be affected. Given the severity of these vulnerabilities and the ease with which they could be exploited, concerns arise regarding potential mass surveillance of users' keystrokes.

Although the vulnerabilities were reported to all nine vendors, while most responded promptly and addressed the issues, some keyboard apps remain vulnerable despite efforts to rectify the situation.

"Because we had so much luck looking at this one, we figured maybe this generalizes to the others, and they suffer from the same kinds of problems for the same reason that the one did," said Jeffrey Knockel, a senior research associate at the Citizen Lab, adding, "and as it turns out, we were unfortunately right."

The vulnerabilities found could have already been exploited by hackers, potentially accessing sensitive information like bank passwords. While no evidence of this exists, Western government hackers targeted a similar loophole in 2011.

According to Jedidiah Crandall, an associate professor at Arizona State University, the loopholes are outdated and easily decrypted, making them ideal for large-scale surveillance, according to MIT Technology Review.


Image source: Unsplash


bottom of page