Bugs in keyboard apps revealing what users type


Popular keyboard apps for Chinese speakers have been exposed to critical flaws that allow attackers to intercept every keystroke, researchers have found. Apps from Baidu, Samsung, Tencent, Xiaomi, and others were among those affected.

The vulnerabilities were discovered by Citizen Lab, an internet watchdog group that investigates government malware, and affect up to a billion people. The researchers based their investigation on cloud-based pinyin keyboard apps – pinyin is a method used by three-quarters of mainland Chinese users to romanize Chinese characters.

They analyzed preinstalled apps from Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi, looking for vulnerabilities that would allow threat actors to intercept the transmission between a user’s device and the cloud. Huawei was the only vendor that passed Citizen Labs’ test unscathed.

The vulnerabilities have potentially impacted hundreds of millions of users, according to the report. Last year, Honor, OPPO, and Xiaomi alone comprised nearly half the smartphone market in China.

“Our analysis revealed critical vulnerabilities in keyboard apps from eight out of the nine vendors in which we could exploit that vulnerability to completely reveal the contents of users’ keystrokes in transit. Most of the vulnerable apps can be exploited by an entirely passive network eavesdropper,” the researchers said.

Citizen Lab informed all vendors about vulnerabilities, with only Honor failing to fix the issues before April 1st.

According to the report, the critical problem with the app security came from how typing data was transmitted over the internet. Unlike the Latin-based alphabet, pinyin keyboards send data to the cloud to predict Chinese words and characters more easily.

“Enabling “cloud-based” features in these apps means that longer strings of syllables that users type will be transmitted to servers elsewhere. As many have previously pointed out, “cloud-based” keyboards and input methods can function as vectors for surveillance and essentially behave as keyloggers,” researchers said.

In essence, motivated attackers may have intercepted everything users were typing on their keyboard app, from text messages and login details to passwords and financial information. Even if the users attempted to safeguard their privacy via end-to-end encrypted messaging services, attackers could intercept what the user typed before the message even left the device.

As most service providers have since fixed the bugs discovered by Citizen Lab, researchers recommend updating their apps and operating systems. However, the report insists that to protect the privacy of communications and other sensitive data, users should switch away from cloud-based keyboard apps to ones operating entirely on-device.


More from Cybernews:

Microsoft: Russian APT 28 exploits Windows bug with GooseEgg tool

Four Iranian nationals charged in cyber campaign against US firms

Apple expected to launch revamped iPad model at May 7 event

Double-extorted Change Healthcare says “a substantial proportion” of Americans exposed

HelloKitty ransomware rebranded and back in business, looking for employees

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked