Keyboard apps used by one billion users found to have a flaw that exposes keystrokes

Keyboard apps used by one billion users found to have a flaw that exposes keystrokes

Disclaimer: Content Source The content on this website is for informational purposes only. We would like to clarify that the information provided here is sourced from various publicly available outlets on the internet. None of the content on this website is authored, reviewed, or endorsed by our team.

Research laboratory Citizen Lab has discovered a vulnerability in popularly used keyboard apps that it estimates affected an alarming number of users.

The flaw was found in keyboard apps used for inputting Chinese characters using the pinyin writing system. The researchers analyzed apps from nine vendors – Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The devices that were examined were sold in China. 

It was found that Samsung Keyboard didn’t perform encryption of any kind and most others did not use asymmetric cryptography.

Since creating keyboards that allow users to type Chinese characters quickly and easily is something of a challenge, many of these apps, including the ones that the researchers analyzed, offer cloud-based prediction. The inclusion of this feature means that whatever is typed is sent to servers elsewhere. 

Out of all the pinyin keyboard apps Citizen Lab analyzed, all except Huawei’s were found to have vulnerabilities that could be exploited to reveal what a user was typing. The flaw essentially turns cloud-based keyboards into keyloggers.

The vulnerabilities can be exploited by a passive network eavesdropper without any interference to the communication channel, making them difficult to detect.

See also  Xiaomi 14 Ultra vs Samsung Galaxy S24 Ultra: Heavy is the Ultra crown

Flaws like these which let you read what someone types on their device can be of interest to various actors including government intelligence agencies. The researchers fear that they may have not been the first to discover the vulnerabilities and they may have been exploited for surveillance purposes.

The researchers believe that up to a billion users may have been affected by this and another similar vulnerability. The vulnerabilities were reported to all the vendors and most of them have fixed them.

The report notes that neither Apple’s nor Google’s keyboard apps transmit keystrokes to cloud servers.

If you don’t want anyone finding out what you type on your phone, it’s recommended that you stick to on-device keyboards and keep your apps and operating systems up to date.

Source link


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *