Latest News | Cloud-Based Pinyin Keyboards Expose 1 Billion+ Users: Unveiling Major Security Risks
Security vulnerabilities in cloud-based pinyin keyboard apps have been discovered, potentially exposing over 1 billion Chinese users' keystrokes to exploitation.
In the past, keystroke attacks on physical keyboards typically involved techniques like keylogging software or hardware. Keyloggers could be installed surreptitiously on a target's computer, intercepting and recording keystrokes as they were typed. Hardware keyloggers could be physically inserted between the keyboard cable and the computer, capturing keystrokes before they even reached the operating system.
Nowadays, with the prevalence of virtual keyboards on devices like smartphones and tablets, keystroke attacks have adapted to target these platforms. Virtual keyboard keystroke attacks often involve intercepting data during transit over networks. This could include exploiting vulnerabilities in the communication protocols used by virtual keyboard apps to transmit data, as seen in the vulnerabilities uncovered by Citizen Lab.
So what recently happened:
Highlights:
- Citizen Lab uncovered vulnerabilities in eight out of nine pinyin keyboard apps from various vendors.
- Weaknesses could expose users' keystrokes during transit, affecting popular apps from Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.
- Vulnerabilities include CBC padding oracle attack on Tencent QQ Pinyin, plaintext recovery from Baidu IME and iFlytek IME, and plain, unencrypted HTTP transmission by Samsung Keyboard on Android.
- Successful exploitation could allow passive decryption of keystrokes without additional network traffic.
- Most developers, except Honor and Tencent (QQ Pinyin), have addressed the issues after responsible disclosure as of April 1, 2024.
Analysis on Keystroke Threat:
Concerns raised about mass surveillance potential due to the sensitivity of user data and past exploitation of similar vulnerabilities.
Chinese developers' reluctance to use "Western" cryptographic standards might have led to the development of vulnerable in-house encryption protocols.
Users are urged to update their apps and operating systems regularly and consider switching to on-device keyboard apps to mitigate privacy risks. Developers are advised to use standard encryption protocols and app store operators to facilitate security updates without geoblocking.
Source and further reading.
The Hacker News. (n.d.-b).
Major security flaws expose keystrokes of over 1 billion Chinese keyboard app users.
https://thehackernews.com/2024/04/major-security-flaws-expose-keystrokes.html
Knockel, J. (2024, April 23). The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers -.
The Citizen Lab.
https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/