Data Security, Endpoint/Device Security, Privacy

Almost a billion users’ keystrokes possibly leaked by Chinese keyboard apps

Male hand holding smart phone outside.

Eight of nine major Chinese keyboard apps were found to have vulnerabilities that could be leveraged to expose nearly a billion users' keystrokes, The Hacker News reports.

Input method editor Tencent QQ Pinyin could be impacted by a CBC padding oracle attack facilitating plaintext recovery, while Baidu IME and iFlytek IME could be compromised to enable network transmission decryption and plaintext recovery, respectively, a report from Citizen Lab revealed.

All such issues affect Xiaomi, OPPO, Honor, and Vivo devices that have apps from the aforementioned vendors installed while Samsung Android devices have a keyboard app that uses unencrypted HTTP for keystroke data transmission. Only Huawei's keyboard app did not exhibit such issues.

"Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance," researchers said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.