Major Security Flaws in Keyboard Apps Expose Data of Nearly 1 Billion Users

Highlights

• Eight of nine Chinese keyboard apps risk exposing keystrokes to eavesdroppers.
• Cloud-based prediction features identified as primary vulnerability.
• Citizen Lab reports partial resolution after vulnerability disclosure to manufacturers.
• Users advised to update apps or switch keyboards to secure data.

Researchers have uncovered serious vulnerabilities in cloud-based keyboard apps used for typing Chinese characters with the pinyin writing system.

These flaws could potentially expose a billion users’ keystrokes to malicious actors.

Monitoring Keystrokes?

The Citizen Lab, based in Toronto, Canada, recently published a study on apps created by nine manufacturers: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.

Looking into devices sold in China, the researchers found that eight of the nine vendors transmitted users’ keystrokes, in essence potentially exposing over a billion users to eavesdroppers.

The real problem with most of these apps is the cloud-based prediction feature: “Typing Chinese,” these apps claim, they help users do quickly.

By including this feature, keylogging is sent to remote servers, so the interception of your keystrokes is really enabled.

Action Taken But Some Vulnerabilities Remain

Although the research team reported these security holes to the nine vendors in question, most responded and made the necessary changes, but a few keyboard applications still proved to be vulnerable.

In fact, in August last year, Citizen Lab was first to point out cryptographic vulnerabilities in Tencent’s Sogou Input Method that could enable enemies to decrypt users’ keystrokes without sending any additional network traffic.

So what should users do?

If a user uses QQ Pinyin or has a phone with a pre-installed keyboard, they should change the keyboard right now.

If not, users of Sogou, Baidu, or iFlytek keyboard apps should ensure that their keyboard apps and the operating system for the devices are updated.

As for users of the Baidu IME keyboard, a switch of the keyboard app or disabling the cloud-based input on the device is recommended.

You have to be very careful about your keystrokes, as there may be sensitive data that you do not want others to access.

Be on the alert and protect your privacy.

FAQs

What are the risks associated with using Pinyin keyboard apps?

The primary risk involves the potential exposure of keystrokes to unauthorized parties due to cloud-based prediction features that transmit typed data to remote servers.

Which companies’ keyboard apps were found to be vulnerable?

The study identified apps from major manufacturers including Baidu, Honor, Huawei, and Xiaomi among others, with Tencent’s Sogou Input Method specifically noted for cryptographic vulnerabilities.

What steps have manufacturers taken in response to these findings?

Most manufacturers have addressed the reported vulnerabilities by making necessary security improvements, although some apps still remain at risk.

What should users of vulnerable keyboard apps do to protect their data?

Users should immediately update their keyboard apps and device operating systems, or consider switching to more secure keyboard applications, especially if using apps like Baidu IME or Sogou.

How can users ensure their keystroke data remains protected?

Besides updating or switching apps, users should disable cloud-based input features and remain vigilant about the security settings of any installed apps that handle sensitive input.

Also Read: Secret Essential Windows Keyboard Shortcut Keys You Didn’t Know Existed on Your Keyboard

Also Read: How Keyboard Sounds Can Reveal Your Passwords: Acoustic Side-Channel Attacks Explained