Vulnerability in Tencent’s Sogou Chinese Keyboard Can Leak Text Input in Real-Time

Security researchers at Citizen Lab discovered a number of cryptographic vulnerabilities in the Sogou Input Method keyboard software made by Tencent, the most popular input method in China. These vulnerabilities allow adversaries with a privileged network position (such as an ISP or anyone with access to upstream routers) to read the text a user inputs on a device in real-time as it’s being typed. Users of the Sogou Keyboard are highly encouraged to upgrade to patched versions that fix this vulnerability:

  • Windows >= version 13.7
  • Android >= version 11.26
  • iOS >= version 11.25

The report shows the Windows and Android implementations were vulnerable to eavesdropping, while the iOS version wasn’t. Of particular note, Sogou Input Method has around 450 million monthly active users worldwide. It’s used not only in China, but also has a large userbase in the United States, Japan, and Taiwan. It is not known if this vulnerability was previously discovered or exploited. However, given the level of network access and broad latitude afforded to state authorities within China, it’s possible that users of the keyboard (especially those located within China) may have had their private communications leaked to the Chinese state.

Home-rolled Cryptography Strikes Again

The researchers found  this vulnerability was due to the use of custom cryptography vulnerable to a padding oracle attack. Implementing cryptographic algorithms is an extremely precarious and rigorous effort. Even when done relatively well, a side-channel attack can undo the basic guarantees these algorithms are meant to provide. Best practice dictates that well-vetted cryptographic libraries which are made available by the system—rather than coded on one’s own—should be used to avoid these attacks and ensure the latest protections are available against weaknesses. As of 2003, the vulnerabilities in this particular implementation were already fixed in TLS implementations.[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Deeplinks

Read the original article: