Eight of nine major Chinese keyboard apps were found to have vulnerabilities that could be leveraged to expose nearly a billion users' keystrokes, The Hacker News reports.
Input method editor Tencent QQ Pinyin could be impacted by a CBC padding oracle attack facilitating plaintext recovery, while Baidu IME and iFlytek IME could be compromised to enable network transmission decryption and plaintext recovery, respectively, a report from Citizen Lab revealed.
All such issues affect Xiaomi, OPPO, Honor, and Vivo devices that have apps from the aforementioned vendors installed while Samsung Android devices have a keyboard app that uses unencrypted HTTP for keystroke data transmission. Only Huawei's keyboard app did not exhibit such issues.
"Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance," researchers said.