Tencent trouble: millions at risk of spying on Chinese language app

A hugely popular app that allows Chinese speakers to type the characters peculiar to their language on Western keyboards suffered from faulty encryption, Citizen Lab has revealed. This theoretically left millions of users worldwide exposed to having their communications spied upon.

The Sogou Input Method, designed by the tech giant Tencent, enjoys 455 million active monthly users — in China, Taiwan, the US, and Japan. Its popularity stems from its sheer usefulness, as it lets Chinese speakers use standardized alphabetic keypads to write in their native script, which is logographic and therefore uses thousands of characters.

But an investigation conducted earlier this year by Citizen Lab uncovered poor internal cybersecurity on Tencent’s part. The Chinese tech firm took action upon being notified of the flaws and patched them, yet even this process turned out to be fraught.

Citizen Lab experienced difficulties communicating with Tencent’s technical team via email, which it suspects may be because China has blocked its citizens’ access to the Canadian firm.

And when notified of the glitch in Sogou Input Method, Tencent was by turns dismissive and then secretive, though it eventually took the problem seriously and then acted promptly to fix it.

“Sogou Input Method, an app with over 450 million users, failed to properly secure the transmission of sensitive data, including the very keypresses which its users were typing, allowing such data to be recovered by any network eavesdropper,” said Citizen Lab.

"We found that Windows and Android versions of Sogou Input Method contain vulnerabilities in this encryption system."

Citizen Lab lifts the lid on some unwelcome security problems with Tencent's hugely popular Chinese-language app

I see what you’re saying there…

The cybersecurity firm reached its conclusion after running penetration tests on Sogou across its three major operating systems: Windows, iOS, and Android.

“We found that the Windows and Android versions of Sogou Input Method contain vulnerabilities in this encryption system,” it said, adding that the security flaw left the app open to what it calls a “CBC padding oracle attack.” This allows a threat actor “to recover the plaintext of encrypted network transmissions, revealing sensitive information including what users have typed.”

iOS, in contrast, did not appear to have the same level of severity. Though Citizen Lab did find some security flaws in Apple devices using Sogou, it added: “we are not presently aware of methods to exploit these vulnerabilities in the version which we analyzed.”

In any case, Tencent has since cleared up the problem satisfactorily across Windows, Android, and iOS, respectively issuing 13.7, 11.26, and 11.25 updated software versions for Sogou on the three platforms.

But that result wasn’t achieved without some considerable hustling on Citizen Labs’ part, and its citations of its attempts to communicate the issue to Tencent makes for fairly amusing reading.

Graphic demonstrating how Sogou app converts text to Chinese
Graphic from Citizen Labs demonstrates how the Sogou app works on Android phones, for typed Pinyin inputs (first two examples, L to R) and logographs directly written on the screen

Please, don’t tell anyone we screwed up!

On June 16th, Citizen Labs reached out to Tencent via its Security Response Center web portal, after trying unsuccessfully to contact it via email around two weeks earlier.

On June 25th it received the following reply to its web portal notification: “Thank you for your interest in Tencent security. There is no low or low security risk [sic] for this issue. We look forward to your next more exciting report.”

This rather blase response was followed less than a day later with the following retraction, complete with mea culpa and an exhortation to secrecy: “Sorry, my previous reply was wrong, we are dealing with this vulnerability, please do not make it public, thank you very much for your report.”

Citizen Lab responded by saying it would give the tech giant until the end of July to fix the problem before going public with its findings.

A grateful Tencent then replied: “Thank you very much for your report, repair plan, and repair time, which have been replied to [email protected] by email.”

"Thank you for your interest in Tencent security. There is no low [...] security risk for this issue. We look forward to your next more exciting report."

Tencent's tech team were initially dismissive of Citizen Lab's cybersecurity notification

Email, what email?

This is where things began to go slightly askew. No such reply was received at the @citizenlab.ca email address, leading to a somewhat confused exchange between the two companies.

Both were eventually able to find a workaround by using another email account, suffixed @utoronto.ca. Citizen Lab theorizes that this one worked because, unlike @citizenlab.ca, it does not appear on a Chinese government “block list” of domains and emails, although it says it cannot prove this for sure.

“Our difficulties receiving Tencent’s email response to our disclosure highlight unexpected challenges in disclosing vulnerabilities to companies in certain jurisdictions,” said Citizen Lab. “After disclosing the vulnerabilities to Tencent, we measured that our email domain (citizenlab.ca) is blocked in China.”

But it added: “We cannot be certain that China’s blocking of our domain is why Tencent’s email was not delivered to an email server on our domain, but we received some late evidence that further strengthened this hypothesis.”

This evidence involved an email sent on July 27th, coincidentally also the date when both parties mutually agreed that the Sogou security flaw had been fixed across all platforms. This message had been sent by Tencent to both addresses supplied by Citizen Lab, but it only arrived at citizenlab.ca a day later.

Upon closer investigation, Citizen Lab determined that yet another flaw had likely been the reason its primary email account received the message at all, in spite of the suspected block placed on it.

“By inspecting the email’s headers, we found that the delivery stalled between one of Tencent’s mail servers and Google’s MX [mail exchange] servers,” said Citizen Lab. “As Google is our mail provider in the citizenlab.ca MX records, this finding strengthens the hypothesis that Tencent’s mail servers were struggling to look up our domain’s MX records. The email may have eventually been delivered over 24 hours later due to an intermittent failure in China’s firewall.”

"Sorry, my previous reply was wrong, we are dealing with this vulnerability, please do not make it public."

Tencent backtracks in dramatic fashion after realizing its mistake, instead imploring Citizen Lab to keep schtum about it

Why make it easy for Beijing?

Citizen Labs praised the Tencent team for acting to rectify the error, but said that the situation is indicative of a wider cybersecurity problem with Chinese apps. The company claims to have spent the past eight years tracking China’s tech vulnerabilities.

“While we have had some success in coordinating with developers to resolve these issues, the ecosystem remains problematic, as here we are, again, reporting on how an unimaginably popular Chinese-developed app fails to adopt even simple best practices to secure the sensitive data which it transmits,” it said.

And while these particular vulnerabilities may have been patched for now, Citizen Lab points out that the Sogou app still relies on transmitting typed content to Sogou’s servers as part of its everyday functionality. This means that more subversive users of the app could in theory find themselves being spied upon by the authorities in China.

“Keystrokes coming from users anywhere in the world are transmitted to servers in mainland China, which are operating under the legal jurisdiction of the Chinese government,” said Citizen Lab. “High-risk users of Sogou should be cautious, as typed material could include sensitive or personal information. The attacks outlined in this report demonstrate how network eavesdroppers can decipher such data in transit. However, even with the vulnerabilities resolved, such data will still be accessible by Sogou’s operators and by anyone with whom they share the data.”