Security Vulnerabilities in Cloud-Based Pinyin Keyboard Apps Expose Users’ Keystrokes

A recent report from the Citizen Lab has uncovered security vulnerabilities in cloud-based pinyin keyboard apps that could potentially expose users’ keystrokes to malicious actors. The findings highlight weaknesses in eight out of nine apps from major vendors like Baidu, Honor, Samsung, and Xiaomi, with Huawei being the only exception.

According to researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert, these vulnerabilities could allow attackers to intercept and reveal the contents of users’ keystrokes as they are being transmitted. This puts nearly one billion users at risk, with popular Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek being among the most affected.

Some of the identified issues include the vulnerability of Tencent QQ Pinyin to a CBC padding oracle attack, network eavesdroppers decrypting texts on Baidu IME, and insufficient encryption on iFlytek IME transmissions. Additionally, Samsung Keyboard on Android was found to transmit data via plain, unencrypted HTTP, while brands like Xiaomi, OPPO, Vivo, and Honor were also flagged for their susceptibility to similar flaws due to preinstalled keyboard apps.

While most developers have addressed these vulnerabilities following responsible disclosure, users are advised to keep their apps updated and consider using on-device keyboard apps to enhance their privacy. The report also calls for app developers to adopt standardized encryption protocols and for app store operators to facilitate security updates without geographical restrictions.

The researchers also raised concerns about the potential for mass surveillance by exploiting these vulnerabilities, highlighting the need for increased security measures to safeguard users’ sensitive data. As the cybersecurity landscape continues to evolve, it is crucial for both users and developers to prioritize data protection and encryption protocols to mitigate such risks.